Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the removal of unrequired certificates #1705

Merged
merged 3 commits into from
Jun 18, 2019
Merged

Add the removal of unrequired certificates #1705

merged 3 commits into from
Jun 18, 2019

Conversation

cheukwing
Copy link
Contributor

What this PR does / why we need it:
When the SecretName of a TLS entry in an ingress is changed/modified, the previous certificate is deleted.
This fixes issues with work queues being filled with unrequired certificates.

Which issue this PR fixes: fixes #912

Special notes for your reviewer:
The change to sync_test.go will need to be modified for simplicity to follow the changes in pull request #1670 (w.r.t. owner references).

Release note:

Add the removal of certificates when no longer required by the owner ingress

@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. release-note Denotes a PR that will be considered when it comes time to generate release notes. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 20, 2019
@jetstack-bot jetstack-bot requested a review from munnerz May 20, 2019 14:29
@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels May 20, 2019
munnerz
munnerz reviewed May 23, 2019
View reviewed changes
pkg/controller/ingress-shim/sync.go
}

func isUnrequiredCertificate(crt *v1alpha1.Certificate, ing *extv1beta1.Ingress) bool {
if !metav1.IsControlledBy(crt, ing) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might be possible for us to be cleverer with the label selector in findUnrequiredCertificates in order fo filter the list of certificate's we consider to only those that are controlled/owned by the given Ingress resource. I'm not too certain though, but #sig-api-machinery on the k8s slack will be able to help.

It may not be important to do now, but it could be interesting for you to look into. If you don't want to do it now, could you add a TODO here so we don't forget to consider this option in future? 😄

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Certificates take all the same labels as their owning Ingress, and I imagine an Ingress doesn't add a label onto itself identifying itself so I think we would want to add another label onto new Certificates which links it to a certain Ingress in order to use a more sophisticated selector - maybe the Ingress' UID?

I will add a TODO for now.

@munnerz
Copy link
Member

munnerz commented May 24, 2019

Looks like we may have created a new test flake with the new webhook support 😅 this PR looks good to me.

I'll add the appropriate labels in case you want to get this merged (just comment /hold cancel). If you want to update this according to the comment above, ping me afterwards and I can re-lgtm 😄 (pushing any changes will remove the lgtm label)

/lgtm
/approve
/hold

@jetstack-bot jetstack-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 24, 2019
@jetstack-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheukwing, munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels May 24, 2019
@munnerz
Copy link
Member

munnerz commented May 24, 2019

/retest

@jetstack-bot jetstack-bot removed the lgtm Indicates that a PR is ready to be merged. label May 24, 2019
@cheukwing
Implement removal of unrequired certificates
82f658e 
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
@cheukwing
Add test for deletion of unrequired certificates
9b8e72a 
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
@cheukwing
Add todo on certificate selector
202d72c 
Signed-off-by: Michael Tsang <michael.tsang@jetstack.io>
@cheukwing
Copy link
Contributor Author

/retest

@munnerz
Copy link
Member

munnerz commented Jun 18, 2019

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Jun 18, 2019
@munnerz
Copy link
Member

munnerz commented Jun 18, 2019

/hold cancel

@jetstack-bot jetstack-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 18, 2019
@jetstack-bot jetstack-bot merged commit f3bc4fa into cert-manager:master Jun 18, 2019
@aegershman aegershman mentioned this pull request Jun 27, 2019
Merged
@sschne sschne mentioned this pull request Jul 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@munnerz munnerz munnerz left review comments

Assignees

@munnerz munnerz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Delete Certificate when owning ingress no longer requires it
3 participants
@cheukwing @munnerz @jetstack-bot