-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing retry implementation at cainjector #6340
Comments
cainjector watches |
Here are the flags:
I will retest the issue on the new release |
Here is a reproducible way (sometimes, it need more try. In that case please manually delete the generated secrets): Chart.yaml apiVersion: v2
name: issue6340
version: 0.0.0
dependencies:
- name: ingress-nginx
version: 4.8.0
repository: https://kubernetes.github.io/ingress-nginx
- name: cert-manager
version: v1.13.0
repository: https://charts.jetstack.io values.yaml global:
leaderElection:
namespace: "default"
ingress-nginx:
controller:
admissionWebhooks:
patch:
enabled: false
certManager:
enabled: true
cert-manager:
enableCertificateOwnerRef: true
cainjector:
extraArgs:
- --namespace=$(POD_NAMESPACE)
- --enable-customresourcedefinitions-injectable=false
- --enable-certificates-data-source=false
- --enable-apiservices-injectable=false kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.crds.yaml
helm upgrade -i issue6340 . |
That's why it doesnt' work - the ingress webhooks actually use the Certificates data source and you have it disabled. I think it would be better if the ingress webhooks used the Secrets data source (should be just a matter of changing the annotation name and pointing at the I think we should also update our docs to put the |
Thanks for figure it out. I was a bit confused, because at certain point the Webhook gets the certificate injected. I will upgrade the upstream helm charts to use the Secrets data source. Is there any breaking change by changing the annotation from |
The Secret which are generated by the Certificates needs the If you recommend this data source by top, the secret data source should also allowed the annotation |
Thanks for catching this! |
Yes, it would have sometimes worked, but it would not react on |
Thanks! I guess the issue can be closed here, since all my question are answers. The migration to the secret data source will be delayed unless the other annotation in the secret injection whitelist. |
Describe the bug:
I have a Helm Chart which bundles cert-manager and ingress-nginx. The ingress-nginx has an option to use the cert-manager for managing the certifications between ValidationingWebhook and and Webhook endpoint.
https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml
https://github.com/kubernetes/ingress-nginx/blob/06c64bf5672ed7167f0c030b750ec9062bc86c83/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml#L10C5-L10C35
On installation, it cainjector wants too early inject the ca. cainjector does not observe the status of the certificate itself. cainject trying to find the certificate and fails, because of the secret is not present.
However, after a minute the secret is present because cert-manager process the certificate and the certificate gets ready. But cainjector never retries to re-inject the ca secret.
A manual restart of cainjector is required to solve this issue. After restart, cainject does not have any issues to inject the secret.
Expected behaviour:
cainjector should observe the certificate status and should inject the secret once its ready/completed.
Steps to reproduce the bug:
Please let me know, if I should provide a reproduce way. It may takes some time.
Anything else we need to know?:
Logs
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: