You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We enabled the cert-manager ServerSideApply feature gate in our clusters some time ago (months). While this has been working perfectly fine, I notice that resources managedFields seem incorrect. This is not an immediate issue, but could get problematic if some fields transition to unset as the desired state.
One random example (irrelevant fields omitted for clarity) is below. It seems like all/most cert-manager resources are affected, so this is a generic issue.
No managedFields with any cert-manager component as manager has operation: Update
Steps to reproduce the bug:
I am not sure if this is a complete reproducer, but I would expect it to be:
Install cert-manager with default options.
Create a Certificate and wait for it to be fully reconciled.
Enable cert-manager ServerSideApply feature gate.
Wait for the existing Certificate to be fully reconciled - ideally also renewed.
Anything else we need to know?:
I suspect #6364 to be related, but it might not also be. Anyway, it shows the kind of issues that may arise if this bug remains unfixed.
I would be happy to submit a PR to fix this, but first I think we need to discuss the details of the preferred approach to fix it. After migrating some of our own operators from CSA to SSA, I would like to use K8s client-go UpgradeManagedFields helper - which is used by kubectl to perform the same task. After kubernetes/kubernetes#123484 it is also possible to upgrade managed fields for the status subresource.
Environment details::
Kubernetes version: 1.27 (OpenShift 4.14)
Cloud-provider/provisioner: on-prem
cert-manager version: 1.14.5
Install method: e.g. helm/static manifests: Helm as master, but inflated to manifests and installed using kustomize.
/kind bug
The text was updated successfully, but these errors were encountered:
Hi @erikgb,
Indeed, it seems like cert-manager does not cleanup the managedFields very well.
However, I think the managedFields that you show in this PR would not cause any problems, right?
As far as I understand, the Ready condition's ownership is shared between the Apply and Update operation.
This will probably only result in an issue/ bug if we were to remove the Ready condition, which is something that cert-manager does not do (I think).
Describe the bug:
We enabled the cert-manager ServerSideApply feature gate in our clusters some time ago (months). While this has been working perfectly fine, I notice that resources
managedFields
seem incorrect. This is not an immediate issue, but could get problematic if some fields transition to unset as the desired state.One random example (irrelevant fields omitted for clarity) is below. It seems like all/most cert-manager resources are affected, so this is a generic issue.
Expected behaviour:
No
managedFields
with any cert-manager component as manager hasoperation: Update
Steps to reproduce the bug:
I am not sure if this is a complete reproducer, but I would expect it to be:
Anything else we need to know?:
I suspect #6364 to be related, but it might not also be. Anyway, it shows the kind of issues that may arise if this bug remains unfixed.
I would be happy to submit a PR to fix this, but first I think we need to discuss the details of the preferred approach to fix it. After migrating some of our own operators from CSA to SSA, I would like to use K8s client-go UpgradeManagedFields helper - which is used by
kubectl
to perform the same task. After kubernetes/kubernetes#123484 it is also possible to upgrade managed fields for the status subresource.Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: