-
Notifications
You must be signed in to change notification settings - Fork 301
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: fix user/tls-cert-manager Issuer/ClusterIssuer #1473
Conversation
Based on feedback from @irbekrm of cert-manager. Signed-off-by: Tommie Gannert <tommie@gannert.se>
Codecov Report
@@ Coverage Diff @@
## main #1473 +/- ##
==========================================
+ Coverage 61.65% 61.67% +0.01%
==========================================
Files 79 79
Lines 11490 11490
==========================================
+ Hits 7084 7086 +2
+ Misses 3947 3945 -2
Partials 459 459 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for writing the awesome tutorial and thanks for making the changes @tommie !
I've added a nit.
Apart from that I have two optional suggestions:
-
we really don't recommend using self-signed issuer for any other case except for quick testing of things and for bootstrapping a root CA cert. In our own example setups we typically use a selfsigned issuer to issue a CA cert for a CA issuer that can then be used to issue certs for applications like so. I understand that you may not want to make the setup too complex here, but perhaps would be nice to add an additional warning that the self signed issuer should not be used beyond a quick test of things
-
In the garbage collection section it mentions that
Certificate
s will be garbage collected whenSecret
s are removed - this is not quite the case, for gateway-shim/ingress-shim they will be deleted because if the relevant TLS block has been removed fromGateway
orIngress
. If aSecret
was deleted (i.e by a user) that is referenced by aCertificate
, cert-manager would actually re-create theSecret
Incorporate additional feedback from @irbekrm. Signed-off-by: Tommie Gannert <tommie@gannert.se>
Yes, I want something that is simple to start with. selfSigned has no configuration, and doesn't require access to external services, which makes it an ideal thing to start with. Difficult to screw up. I've added a note.
Nice catch. Updated. |
Thanks for making the changes! Looks great from cert-manager perspective 😄 /lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on feedback from @irbekrm of cert-manager.