Skip to content

don't install certificate watchers unless cert-manager exists#35578

Merged
doy-materialize merged 1 commit intoMaterializeInc:mainfrom
doy-materialize:push-kokyulllrvqk
Mar 20, 2026
Merged

don't install certificate watchers unless cert-manager exists#35578
doy-materialize merged 1 commit intoMaterializeInc:mainfrom
doy-materialize:push-kokyulllrvqk

Conversation

@doy-materialize
Copy link
Contributor

@doy-materialize doy-materialize commented Mar 20, 2026

Motivation

potential fix for https://github.com/MaterializeInc/database-issues/issues/11225 - it at least clears up the 404 errors, not entirely clear if those were actually the cause of the slowdown, but even if not it'll make it easier to dig further if necessary

Description

we were unconditionally setting up watchers for Certificate resources on our custom resource controllers since those controllers can sometimes create Certificate resources, but if we are running in an environment which doesn't use certificates, cert-manager might not be installed at all, causing an error when we try to set up a watcher for its resources.

Verification

ran bin/mzcompose --find orchestratord run documentation-defaults locally with this change and it appeared to work correctly.

@github-actions
Copy link

github-actions bot commented Mar 20, 2026

Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone.

PR title guidelines

  • Use imperative mood: "Fix X" not "Fixed X" or "Fixes X"
  • Be specific: "Fix panic in catalog sync when controller restarts" not "Fix bug" or "Update catalog code"
  • Prefix with area if helpful: compute: , storage: , adapter: , sql:

Pre-merge checklist

  • The PR title is descriptive and will make sense in the git log.
  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).

Alphadelta14
Alphadelta14 reviewed Mar 20, 2026
View reviewed changes
src/orchestratord/src/bin/orchestratord.rs

let crd_api: Api<CustomResourceDefinition> = Api::all(client.clone());
let crds = crd_api.list(&ListParams::default()).await?;
let has_cert_manager = crds
Copy link
Contributor

@Alphadelta14 Alphadelta14 Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if cert manager gets installed at the same time / later, will this never try to watch resources?

Copy link
Contributor Author

@doy-materialize doy-materialize Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, although that's easy enough to fix by just bouncing orchestratord, and the only impact of that is that if you try to manually edit an orchestratord-created certificate, it won't automatically revert the edit, which is not a particularly big deal

@doy-materialize doy-materialize merged commit 9051d99 into MaterializeInc:main Mar 20, 2026
128 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Alphadelta14 Alphadelta14 Alphadelta14 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@doy-materialize @Alphadelta14