Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: mandate issuer configuration when using cert-manager to generate certificates #24666

Merged
merged 2 commits into from
Apr 6, 2023
Merged

helm: mandate issuer configuration when using cert-manager to generate certificates #24666

merged 2 commits into from
Apr 6, 2023

Commits on Mar 31, 2023

  1. Revert "Modify helm chart: delete validations for certManagerIssuerRef" 

    This reverts commit bc2ed14.

Currently, in the helm chart, if the cert-manager approach is selected
to generate the hubble and clustermesh certificates but no issuer is
specified, a new issuer is created for each of them, along with a secret
containing the CA information. Still, this approach is currently broken,
since the CA secret which is created does not match the format expected
by cert-manager. At the same time, this might also hide misconfigurations
(e.g., if there is a typo in the issuer configuration) and possibly lead
to different CAs for different components. Hence, let's just stick to
the approach documented in the user guide and make it mandatory to specify
the issuer when cert-manager is used. It is a task of the users (as
unrelated from cilium) to create the appropriate issuer in advance,
according to their own preference.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
    @giorio94
    giorio94 committed Mar 31, 2023
    Configuration menu
    Copy the full SHA
    579bae3 View commit details
    Browse the repository at this point in the history

  2. Revert "helm: ca issuer" 

    This reverts commit 082fa15.

Currently, in the helm chart, if the cert-manager approach is selected
to generate the hubble and clustermesh certificates but no issuer is
specified, a new issuer is created for each of them, along with a secret
containing the CA information. Still, this approach is currently broken,
since the CA secret which is created does not match the format expected
by cert-manager. At the same time, this might also hide misconfigurations
(e.g., if there is a typo in the issuer configuration) and possibly lead
to different CAs for different components. Hence, let's just stick to
the approach documented in the user guide and make it mandatory to specify
the issuer when cert-manager is used. It is a task of the users (as
unrelated from cilium) to create the appropriate issuer in advance,
according to their own preference.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
    @giorio94
    giorio94 committed Mar 31, 2023
    Configuration menu
    Copy the full SHA
    d84bc71 View commit details
    Browse the repository at this point in the history