Comments (2)
https://cert-manager.io/docs/usage/csi-driver/#why-use-csi-driver could be alternative for the use case of:
The same cert-manager installation is then used for dynamically provisioning mTLS Certificates for various internal microservices from an internal CA. Instances of the microservices may come and go, and so their Certificates are deleted as they are. But over time Secrets are then accumulating in Namespaces and require scripting / automating their cleanup to avoid etcd storage issues, affecting Secret watchers, etc. Enabling the CLI option for cert-manager could solve this, but then the Ingress Certificates would also be automatically cleaned up which is undesirable.
depending on the specifics.
Though, yet-another CSI driver on a cluster has a few extra downsides IMO:
- Another
DaemonSet
means more processes and if you have to set resource requests / limits you might be eating memory / CPU reservation space on your machines (thought requests of 0 might be fine). - If you are a writing an operator that integrates with cert-manager, you added another component dependency on your operator users. Daemon components require extra scrutiny from enterprise platform and security teams, and might be a blocker for operator installation.
from cert-manager.
Hey, thanks for opening this. @RomanenkoDenys and I tried adding the new field cleanupPolicy
2 years ago. There was enough maintainer buy-in (although not a complete consensus on the problem statement), but we weren't able to finish it. I think time was lacking.
What's interesting in your description is that you are bringing new use-cases that I hadn't written in the design I had started (#5324)
- One one side, it is important to keep Let's Encrypt secrets around just in case,
- But on the other side, as you pointed out, mTLS without csi-driver is painful due to the secrets piling up.
I think the next step for this new feature would be to write a design document. You can create a new PR and re-use any part you like from #5324 as a starting point. The question that the design should answer most importantly is "what's the problem".
The lack of a good problem statement is what made me struggle gain consensus among maintainers. The biggest question that this design needs to answer is: why would you not want to install cert-manager-csi-driver, or differently said: why csi-driver is a problem in some clusters? You said:
Another
DaemonSet
means more processes and if you have to set resource requests/limits you might be eating memory/CPU reservation space on your machines (thought requests of 0 might be fine).
Is that the reason you prefer not to install csi-driver? I'd like to understand this problem better, especially since csi-driver will most probably have a reasonable CPU request and low memory request/limit as it only watches certificate requests.
If you are a writing an operator that integrates with cert-manager, you added another component dependency on the users of your operator.
I'd like to know more; @SpectralHiss @hawksight have you also noticed that cert-manager csi-driver is a no-go for enterprise users?
from cert-manager.
Related Issues (20)
- ImagePullSecrets do not exist in the deployments HOT 1
- Failed to generate serving certificate HOT 6
- editing a Certificate and changing the 'duration' does not result in certificates being reissued, though documentation says it will HOT 1
- Cert-Manager in AKS revoke to migrate HOT 1
- ACME protocol can't issue certificate for ipv6 endpoint
- The description of `spec.venafi.tpp.credentialsRef` is inaccurate, and it may confuse users
- CAInjector entering crashloop with "timed out waiting for cache to be synced" HOT 3
- Is there a feature available for having an additional TLS certificate to coupled with existing TLS certificate? HOT 4
- Challenge ACME authorization stuck in endless loop. HOT 4
- Consider exposing previous certificates/keys in the kubernetes secret so that workloads can implement a grace period when a certificate rotates
- cert manager does not verify that received certifiate's duration does not match requested certificate's duration HOT 1
- Even with issue-temporary-certificate set to true, cert-manager still challenges via port 80. HOT 1
- Route53 is not fetching hosted zone for next level subdomains + log HOT 2
- Add metrics for Vault not reachable error.
- Kubernetes cert-manager Challenge Failing with ACME Unauthorized Error
- Unsatisfied HTTP01 challenge leads to infinite HTTPRoute resources HOT 2
- Failed to parse secret from cert-manager
- Cloudflare certificate not issued after failed attempt HOT 1
- `make-self-upgrade.yaml` doesn't work on constrained repositories
- Helm chart: add ability to add appprotocol to port in service
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.