Let's Encrypt is blocking old cert-manager versions #5067
Comments
christophlehmann
added
the
kind/feature
|
I was looking into this on our dev cluster, but something is not working. We are seeing similar issues as here cert-manager/cert-manager#2015 |
|
I ran into this one today. I decided to remove my kubespray managed cert-manager installation completely and install from the chart from jetstack. Luckily these were brand new clusters, so no big deal for me. However it's a pretty bad experience to grab the latest and greatest kubespray, and enable cert-manager as an addon, only to have it install an outdated cert-manager that doesn't work... There's no point in having addons for kubespray if they are not kept up to date. I would much rather have that kubespray didn't include any addons at all, than keep outdated addons. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Where update for cert manager? |
|
@stufently: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What would you like to be added:
certmanager 0.5.2 should be updated to >= 0.8.0
Why is this needed:
Today the following mail arrived:
We've been working with Jetstack, the authors of cert-manager, on a
series of fixes to the client. Cert-manager sometimes falls into a
traffic pattern where it sends really excessive traffic to Let's
Encrypt's servers, continuously. To mitigate this, we plan to start
blocking all traffic from cert-manager versions less than 0.8.0 (the
current semver minor release), as of November 1, 2019. Please upgrade
all of your cert-manager instances before then.
We're sending this email because this is the contact address of your
cert-manager instance at:
x.x.x.x.
Version 0.8.0 is much better but we still observe excessive traffic in
some cases. We're working with Jetstack to improve these cases. As new
versions of cert-manager are released, we will add the non-current
versions to our block list after 3 months. We strongly encourage
cert-manager users to stay up-to-date with new versions.
Also, there is an opportunity to help both Jetstack and Let's Encrypt.
Once you've upgraded, please check the logs for your cert-manager
instances from time to time. Are they making excessive requests to Let's
Encrypt (more than, say, 10 per day over multiple days)? If so, please
share details at cert-manager/cert-manager#1948 .
Thanks,
Let's Encrypt Team
The text was updated successfully, but these errors were encountered: