New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix keyrotation warning #5199
Fix keyrotation warning #5199
Conversation
…has changed Signed-off-by: irbekrm <irbekrm@gmail.com>
@@ -60,7 +60,7 @@ func PrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) ([] | |||
func rsaPrivateKeyMatchesSpec(pk crypto.PrivateKey, spec cmapi.CertificateSpec) ([]string, error) { | |||
rsaPk, ok := pk.(*rsa.PrivateKey) | |||
if !ok { | |||
return []string{"spec.keyAlgorithm"}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these are probably leftover from alpha/beta structure when the privateKey
field did not exist yet
69f2a88
to
a56068f
Compare
Signed-off-by: irbekrm <irbekrm@gmail.com>
a56068f
to
bb124a0
Compare
/milestone v1.9 |
/test pull-cert-manager-e2e-v1-24 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/hold
I think this seems an obvious win and changing the error to reasonCannotRegenerateKey
makes sense.
I think there's a small chance someone might be filtering logs based on the old error code specifically, right, making this a change in behaviour?
I think that's totally reasonable, but would it be worth maybe adding a release note to this PR just noting the change?
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: irbekrm, SgtCoDFish The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks @SgtCoDFish and thanks for the xkcd 😄 I've added a release note |
/hold cancel |
This PR improves the warning that is thrown when a user has changed some key size or algorithm in
Certificate
's spec, but cert-manager is unable to regenerate the private key because.spec.rotationPolicy
is set toNever
or is unset.At the moment user would see this warning on cert's spec:
I have changed it to:
(maybe too verbose?)
Fixes #5183
I have also considered that perhaps we could simply recreate the key in this case, however this would be a change in behaviour. At the moment the description of
cert.spec.privateKey.rotationPolicy
does explicitly state that user intervention is required if a key spec field has changed, but the policy is not 'Always'/kind cleanup