-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Race Condition: Cert-Manager Generates Endless Certificate Requests on Openshift #6988
Comments
cert-manager Operator for Red Hat OpenShift is not officially distributed by the cert-manager team. |
Hello @inteon, So it doesn't have anything to do with OpenShift Cert-Manager Operator |
Thank you for that extra information. Do you have a minimal example that we can use to reproduce the issue (preferably one on a non-openshift cluster). |
@ykoer it appears from the OpenShift docs that Openshift has another controller somewhere that creates the certificate key pair for you and injects it into a secret you specify in the service annotation. What you are doing on top of this is to then apply a If that is the case this probably isn't a good pattern. Just as it is not good to have two Please let me know if I am missing something there. Also to @inteon's point, is the Openshift controller doing the initial creation installer available to install in vanilla k8s clusters. Just running OpenShift environments can be difficult and time consuming to replicate issues. |
@hawksight yes, that's correct. My concern is that it could potentially lead to a disaster if someone mistakenly uses the same secret name in the certificate resource. @inteon, @hawksight |
Hey @ykoer, thanks for the super detailed instructions for reproducing the issue! The OpenShift team seems to be investigating something close to this in CM-121: "Investigate how to replace Serving certificates generated internally to those generated by cert-manager, which is a Day 2 Operator". @TrilokGeer Does this issue relate to what you are working on? Thanks! |
Describe the bug:
I've encountered some kind of certificate request race condition when I reference an already existing secret that was created by OpenShift's Service-Serving-Certicate. Cert-Manager generates a new certificate request every few seconds until I delete the certificate resource. I could reproduce the issue with the self-signed cluster issuer as well.
Steps to reproduce the bug:
The annotation is responsible for creating a secret with tls.key and tls.crt, where the subject is CN=test-service.default.svc
You should see a new request every few seconds
watch kubectl get crs
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: