Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support configuration via operator subscription #4410

Closed
jawnsy opened this issue Aug 25, 2021 · 17 comments
Closed

Support configuration via operator subscription #4410

jawnsy opened this issue Aug 25, 2021 · 17 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@jawnsy
Copy link

jawnsy commented Aug 25, 2021

Is your feature request related to a problem? Please describe.

The OpenShift installer configures split-horizon DNS with internal (private) and external (public) parts. After configuring the DNS01 challenge, cert-manager checks the default DNS to wait for the record to propagate, which happens to be the internal DNS, and the DNS is never resolvable, since cert-manager added the entry to the external (public) DNS records.

cert-manager added a command-line option the DNS server to use for this check, but this can only be set from Helm, and not the Operator Subscription that installs cert-manager.

Describe the solution you'd like

It appears that the operator framework provides a facility for passing configuration settings to operators, so it would be nice if the DNS server list could be set there.

Describe alternatives you've considered

  • cert-manager appears to add records to a single matching zone for DNS01 challenges (i.e. it cannot add records to both the public and private DNS zones), which might be a potential solution to this. By adding it to both zones, the internal resolver would also be able to detect the record and proceed, though it's not exactly testing what cert-manager needs to test (that things are resolvable externally)
  • Manually modify the cert-manager deployment (the Operator seems to undo these customizations, and any changes are not preserved across upgrades)
  • Might be able to configure the cluster to use external DNS exclusively (rather than the internal cluster DNS), but I don't know how to do this

Additional context

Environment details (remove if not applicable):

  • Kubernetes version:

    Client Version: 4.7.0-0.okd-2021-06-19-191547
    Server Version: 4.7.0-0.okd-2021-08-22-163618
    Kubernetes Version: v1.20.0-1093+4593a24e8fd58d-dirty

  • Cloud-provider/provisioner: Google Cloud
  • cert-manager version: 1.4.3
  • Install method: Operator Hub

/kind feature
@jetstack-bot jetstack-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Aug 25, 2021
@lousyd
Copy link

lousyd commented Aug 30, 2021

I, too, have this issue. I'm running on AWS with same versions as above, and I installed by OperatorHub. In my own troubleshooting I only got as far as determining that the Challenge is stuck in pending because it's "Waiting for dns-01 challenge propagation". It's querying a nameserver that's in my private zone, not the public one. The actual acme TXT record is publicly available. It seems like if cert-manager skipped the propagation check, the challenge would be satisfied and the acme cert would be issued. So it's just that propagation check that's holding things up.

@jawnsy added a lot of detail I wasn't aware of. Thank you, sir!

@niklashagman
Copy link

niklashagman commented Oct 30, 2021
edited

Setting Nameservers for DNS01 Self Check is still not possible when installing cert-manager from built in OperatorHub in OpenShift.

Environment details

  • Kubernetes version:
    • Client Version: 4.8.17
    • Server Version: 4.8.17
    • Kubernetes Version: v1.21.2
  • Cloud-provider/provisioner: user-provisioned cluster on bare metal
  • cert-manager version: 1.6.0
  • Install method: OperatorHub built into OpenShift

@bdurrow
Copy link

bdurrow commented Jan 6, 2022

I believe that this issue is related: cert-manager/cert-manager-olm#22

@bdurrow
Copy link

bdurrow commented Jan 6, 2022
edited

Here is my current workaround in GCP: https://gist.github.com/bdurrow/e90bf7949b56476d955f489a0ef605fb

@jetstack-bot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 10, 2022
@jetstack-bot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 10, 2022
@EagleIJoe
Copy link

/remove-lifecycle rotten

@jetstack-bot jetstack-bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label May 10, 2022
@wallrj wallrj mentioned this issue May 19, 2022
Merged
@wallrj
Copy link
Member

wallrj commented May 19, 2022

I've attempted to document the configuration options available to users of the existing OLM package:

Please review and comment.

@jetstack-bot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 17, 2022
@jetstack-bot
Copy link
Collaborator

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

@jetstack-bot jetstack-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 16, 2022
@jetstack-bot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

@jetstack-bot
Copy link
Collaborator

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@wallrj
Copy link
Member

wallrj commented Nov 2, 2023

/reopen

@jetstack-bot
Copy link
Collaborator

@wallrj: Reopened this issue.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@jetstack-bot jetstack-bot reopened this Nov 2, 2023
@wallrj
Copy link
Member

wallrj commented Nov 2, 2023

This came up again on Slack: https://kubernetes.slack.com/archives/C4NV3DWUC/p1698923865622489

@jetstack-bot
Copy link
Collaborator

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

@jetstack-bot
Copy link
Collaborator

@jetstack-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to jetstack.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jawnsy @bdurrow @wallrj @EagleIJoe @niklashagman @lousyd @jetstack-bot