-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support labelling of cert manager created secrets #566
Comments
we do create annotations (see #388), is this useful for your backup use-case? |
Unfortunately I don't think so; using ark as an example it only supports selecting via labels Backing up everything serves as a workaround, would just be nice to have cert specific backups (Since those are one of few things that can't simply be re-provisioned all at once) |
Here's a quick workaround that I have discovered when attempting to use custom annotations with cert-manager tls secrets:
The resulting secret will be updated to have a real tls.crt and tls.key with the certmanager annotations and your own custom annotations. Hope this helps! |
Cheers @addisonbair, I appreciate the help! Unfortunately we don't centrally control creating certificates so it'd be difficult to create a secret resource in advance for every domain, as we don't know what will be created in advance |
I think we could consider setting labels instead of/as well as annotations on the created resources, although it may have to be a subset of values as there are limitations on label values that do not apply to annotations. Would it help if we were to set a label indicating the Certificate name that the secret is generated for? Something like |
I've tested & Ark supports "Backup resources with label foo regardless of its actual value"; since So it'd definitely help for our use case 👍 |
I'm interested in this along with kubed to synchronize the generated certificates to other namespaces/clusters. kubed requires particular annotations on the secret to work. Can this please be reopened? |
One reason to support labels on the generated secret is to work better with the One solution would be for the A problem with the workaround suggested by @addisonbair is that any pod that uses the secret would start up more eagerly. Aggravates the 'temp cert' issue for programs that don't support hot-refresh. |
Is this a feature that is still under consideration? |
@bitscuit Feature is available by using a secret template on your certificate resources: https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources |
@Evesy thanks, I missed that |
/kind feature
This might play in to #328 a little bit.
Currently secrets generated by cert manager are fairly indistinguishable from other secrets, making it difficult to target those secrets specifically. Use case being we want to backup resources based on labels, and we'd like frequent backups of cert manager secrets (Since we'd hit LE rate limiting if we lost them all.)
Being able to specify a list of labels somewhere that will be applied to secrets generated would be hugely beneficial
i.e.
Argument to cert manager
Certificate spec
Ingress shim
The text was updated successfully, but these errors were encountered: