[helm] certificate-manager: avoid duplicate certificate generation and rate limiting #1715
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem description:
Before this change, when using the 'jetstack/cert-manager' alongside
'wire-server' and 'nginx-ingress-services' helm charts (with
useCertManager: true), then each subsequent 'helm upgrade' command
re-generated a fresh 'certificaterequest' object that retrieved a fresh
certificate from let's encrypt; even if the existing certificate was
still valid.
This is probably due to both the 'Certificate' resource managing the
'Secret' resource, as well as helm itself also creating the 'Secret'
resource (with empty strings)
This is a problem because:
causing deployments to fail.
Symptoms:
Using this command:
one can see that two fresh certificate request resources (one for the
regular ingress, one for the federator ingress and the federator itself) are created on
each fresh deployment. After more than 5 deployments in a given 7-day
period, deployments fail with errors such as:
resolution
With this PR, we only create the Secret resource manually if certificate
manager is disabled. After one initial more fresh certificate request, all subsequent
deployments no longer create fresh certificate requests, solving this
issue. Thanks @akshaymankar for your hunch of what the issue could be.
Drive-by improvement:
certificate
Useful tools when debugging let's encrypt issues
https://crt.sh/
https://letsdebug.net
https://tools.letsdebug.net/cert-search
https://check-your-website.server-daten.de/
Check for
certificate
certificaterequest
order
andchallenge
objects in kubernetes.Checklist