Comments (4)
Thanks @SgtCoDFish for correcting / improving the documentation on this.
I spent some time today to figure out the Kyverno solution to this as well.
If you absolutely want to avoid referencing the same secretName
from two Certificates
here is an example ClusterPolicy
that can do that. I have done some simple tests, but do your own testing to validate.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: limits
spec:
validationFailureAction: Enforce
rules:
- name: limit-secretname-refs
match:
any:
- resources:
kinds:
- Certificate
operations:
- CREATE
- UPDATE
context:
- name: certCount
apiCall:
urlPath: "/apis/cert-manager.io/v1/namespaces/{{request.namespace}}/certificates"
jmesPath: "items[].spec.secretName"
validate:
message: "Only one Certificate is allowed to reference Secret: {{ request.object.spec.secretName }}"
deny:
conditions:
any:
- key: "{{ request.object.spec.secretName }}"
operator: AnyIn
value: "{{ certCount }}"
Example usaged:
> k apply -f ts-cert-1.yaml
certificate.cert-manager.io/ts-cert-1 created
> k apply -f ts-cert-2.yaml
Error from server: error when creating "ts-cert-2.yaml": admission webhook "validate.kyverno.svc-fail" denied the request:
resource Certificate/kyverno-secretname/ts-cert-2 was blocked due to the following policies
limits:
limit-secretname-refs: 'Only one Certificate is allowed to reference Secret: another-secret-cert'
I will close this out as resolved on the assumptions:
- There will be no baked in solution to v1.12.X
- You can avoid conflicts in templating / usage
- There is another workaround above ^
from cert-manager.
I think we documented this as a known issue for https://github.com/cert-manager/cert-manager/releases/tag/v1.12.6 and then it's not documented further - maybe we should add a note about this to all future 1.12.x versions.
If I remember correctly backporting was going to take a lot of effort because of architectural changes between 1.12 and 1.13.
from cert-manager.
Thanks @SgtCoDFish for the info. I was looking purely on the website for changes around this but did not see it.
I can see it in GitHub as your linked.
But there is nothing about the issue on the releases page for v1.12 here: https://cert-manager.io/docs/releases/release-notes/release-notes-1.12#v1126
This raises another concern about what Long Term Support (LTS) means, but perhaps that's for an in person call / discussion. To take action here, a PR to the cert-manager website reffering to the bug would help others.
Strategies for avoiding spec.secretName
collisions otuside of cert-manager?
- Perhaps a Kyverno policy might have the option to introspect the environment?
- Default the value based on the certificate name so you would end up copying over a cert instead, which might highlight the problem more quickly?
from cert-manager.
I've raised cert-manager/website#1477 to rework these docs, because I agree they weren't super clear! I'm not really sure on what might be the best way to handle this outside of cert-manager - if it's possible to do a kyverno thing that sounds great but I don't have a lot of bandwidth atm!
from cert-manager.
Related Issues (20)
- Consider exposing previous certificates/keys in the kubernetes secret so that workloads can implement a grace period when a certificate rotates
- cert manager does not verify that received certifiate's duration does not match requested certificate's duration HOT 1
- Even with issue-temporary-certificate set to true, cert-manager still challenges via port 80. HOT 1
- Route53 is not fetching hosted zone for next level subdomains + log HOT 2
- Add metrics for Vault not reachable error.
- Kubernetes cert-manager Challenge Failing with ACME Unauthorized Error
- Unsatisfied HTTP01 challenge leads to infinite HTTPRoute resources HOT 4
- Failed to parse secret from cert-manager
- Cloudflare certificate not issued after failed attempt HOT 2
- `make-self-upgrade.yaml` doesn't work on constrained repositories HOT 3
- Helm chart: add ability to add appprotocol to port in service HOT 1
- cert-manager incorrectly relies only on http status errors to update order error reason HOT 2
- Fix helm version tag in repository index HOT 2
- Version in the Helm chart is not SemVer HOT 2
- [Helm] invalid flag: duration and renew-before in cert-manager (allow setting the duration and renew-before via Helm for certificates) HOT 1
- Cannot set http solver podTemplate when using Gateway API
- Missing RBAC for cert-manager default serviceaccount
- cert-manager set don't fragment (DF) bit
- Cert Manager 503 Error for Domain
- Improvement of OpenSSF Scorecard Score
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.