-
Notifications
You must be signed in to change notification settings - Fork 742
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
self-generated secret non-compliant #111
Comments
Self-generated certs are goverened by the Kubebuilder code. Here is the source for the most recent release: Getting this bug addressed in that central library should go a lot farther in addressing the cross-compatibility issues generally. Please link any filed bugs back to this one and we'll upgrade our libraries to include published fixes as we are able. In the interim, is it possible to have cert-management projects create the cert prior to start up? As long as the cert remains valid the self-management shouldn't overwrite it. Another feature request you may want against the controller-runtime library is to disable the automatic overwriting of expired/incompatible certs, as that could interfere with the functioning of external cert generation systems. |
You can also use the |
@maxsmythe I opened an issue in that project: kubernetes-sigs/controller-runtime#430 |
@raffaelespazzoli thanks! one thing about enable-manual-deploy is that it disables automatic generation of the webhook config, it does not disable automatic generation of the secrets themselves. To have that feature, controller-runtime would need to implement the feature mentioned above:
|
@maxsmythe Today we are using the
But looks like this flag and the ability to generate your own webhook related objects were dropped in this commit: kubernetes-sigs/controller-runtime@81b48be#diff-fbc18bb07cdd05391b7081acc1dfe170 |
@ritazh
Currently, I know of no levers to control secret generation other than making sure a pre-existing valid secret is installed. re: removal of |
I think this has been fixed with the migration to Kubebuilder V2. Re-open if not. |
by convention, secret containing certificates in kubernetes should be of type
"kubernetes.io/tls"
also the entries should be:
tls.key
tls.crt
ca.crt
compliance helps interoperability with other certificate generation systems, such as for example cert-manager
The text was updated successfully, but these errors were encountered: