Comments (4)
Poor12
commented on May 21, 2024
1
Thanks for explanation. I will try to use another way to fix it and be glad to share some best practice where gatekeeper is used in multicluster or off-cluster.
from cert-controller.
Poor12
commented on May 21, 2024
from cert-controller.
adrianludwin
commented on May 21, 2024
This sounds like a fairly specialized case that cert-controller isn't
really designed to handle. Is cert-manager able to handle that usecase?
IMO, cert-controller is designed for fairly simple applications - we don't
really have the expertise to develop multicluster (or out-of-cluster)
features, let alone test them reliably to ensure those features keep
working. But others might disagree with me.
…On Sat, Apr 23, 2022 at 11:11 PM Tiecheng Shen ***@***.***> wrote:
cc @maxsmythe <https://github.com/maxsmythe> @adrianludwin
<https://github.com/adrianludwin>
—
Reply to this email directly, view it on GitHub
<#41 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE43PZBKNF2MQYXQFZ34LWDVGS3URANCNFSM5UFR3QDA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
from cert-controller.
maxsmythe
commented on May 21, 2024
cert-controller is mainly a way to avoid dependencies on 3rd party certificate management systems for dev/test/release and simple deployments. More complex cases will likely need to disable cert controller and figure out a solution that works for their specific use case.
WRT checking the contents of the secret...
The reason for checking the contents of the folder is because that is where the private key used by the webhook server is read from (it signs the webhook response, which is verified by the public key in the VWH config), so that folder being populated is necessary for the webhook to begin serving.
In this case, it's probably easiest to disable cert-controller and have something else handle generating certs and making sure the contents of the VWH config and webhook server secret folder are in sync (a K8s secret may not be necessary when running off-cluster, especially if there is nothing handling mounting the secret contents to a folder like there would be on K8s).
from cert-controller.
Related Issues (20)
- Failed to wait for cert-rotator caches to sync in non-leader elected instances HOT 2
- Use "Get" by secret resourcename than "Watch" on all secrets. HOT 1
- Document the certificate generation and rotation execution flow
- Allow supporting both the new and old key in the webhook configs during key rotation
- Use 1 secret per webhook pod to store the public/private key pairs
- Allow for coordinated rotation of keys across multiple pods
- Add config options to control validity duration for generated certs
- What should the default cert validity duration be? HOT 1
- Need tag v0.2.0 for controller-runtime v0.7.0+ with go.mod HOT 1
- Delay when the certs are mounted and available for use HOT 8
- Create a new release that supports K8s 1.22+ HOT 4
- rotator.AddRotator doesn't exit when the process is terminated HOT 1
- Recommended way to configure/run in multi-replica setting HOT 2
- Configure certificate validity duration
- Question on usefulness of RestartOnSecretRefresh
- Downtime after a caBundle until Secret propagation to pod HOT 12
- Support multiple dnsNames HOT 4
- Ready channel is never signaled on non-leaders HOT 3
- Add support for the Gatekeeper External Data Provider HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-controller.