Comments (5)
Can we add
class
asingressClassName
itself ifingressClassName
is not provided
Defaulting the field ingressClassName
with the value in the field class
would break anyone using Azure AGIC with class
set and ingressClassName
unset.
The problem is that class
accepts anything that is a valid annotation value, but ingressClassName
must be a DNS label. We broken Azure AGIC users in the past (#4547) due to this subtle difference.
Does it make sense?
from cert-manager.
The sample-ingress-1 is created with IngressClassName specified.
The sample-ingress-class is created with class specified.
from cert-manager.
Hey, thanks for sharing this!
I assume that you are referring to the alert introduced in OpenShift 4.12. I wasn't aware of this warning. I found an explanation as to why this warning exists in transition-ingress-from-beta-to-stable.md:
We are considering adding alerts in case any Routes existed in this state, so that the administrator would know that the Routes needed to be deleted, or the Ingress modified to specify an appropriate IngressClass so that OpenShift would once again reconcile the Routes.
Right now, cert-manager has three different "modes":
-
The "Old" way: when
class
is configured on an ACME Issuer, the generated Ingress is set with the annotationkubernetes.io/ingress.class
.apiVersion: cert-manager.io/v1 kind: Issuer spec: acme: solvers: - http01: ingress: class: nginx --- # Resulting ACME resolver ingress: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx
-
The "New" way: when
ingressClassName
is configured on an ACME Issuer, the generated Ingress'sspec. ingressClassName
is that to that value.apiVersion: cert-manager.io/v1 kind: Issuer spec: acme: solvers: - http01: ingress: ingressClassName: nginx --- # Resulting ACME resolver ingress: apiVersion: networking.k8s.io/v1 kind: Ingress spec: ingressClassName: nginx
-
The "default" way: when
class
andingressClassName
aren't configured, thespec.ingressClassName
field is left empty and no annotation is added.
I imagine that you are referring to (3). (3) is necessary for backwards compatibility reasons: a while back, some ingress controllers were picking up Ingresses by default. This is still how ingress-gce operates.
I propose that we can add default ingressClassName to issuer if ingressClassName is not specified.
If we were to add a "default" ingressClassName
for issuers that don't have ingressClassName
set, it would have to be in a non-breaking way, for example by adding a flag --default-issuer-ingress-class-name
.
Before continuing, can you explain what prevents users from setting ingressClassName
on their issuers? I imagine that it would require changes in lots of places, and the platform admin in charge of "fixing" this warning would like to do that without changing everyone's issuers.
from cert-manager.
@maelvls Firstly user has to add any one of class
or ingressClassName
, I Agree this would need changes.
The small hack we can provide for users is to patch ingress kubectl patch ingress/<ingress-name> --type=merge --patch '{"spec":{"ingressClassName":default"}}' -n <namespace>
The main issue arises is that in cases of these alerts there are some cascading effects like re-issuing the certificate and restarting the ingress.
I think can we add class
as ingressClassName
itself if ingressClassName
is not provided this would help people to avoid these errors in first place.
Please correct me if I am wrong.
from cert-manager.
I met with Anirudh this morning. Here are the notes I took from our meeting:
- An OpenShift customer, specifically the platform team, says that they are spammed by a lot of alerts since they upgraded to OpenShift 4.12.
- The official documentation for using cert-manager in OpenShift with ACME says that you should use
class
. This recommendation is made for all current OpenShift versions: 4.12, 4.13, 4.14, and 4.15. The page shows the following: - The OpenShift Ingress Controller team decided to add this warning in OpenShift 4.12, but many ingress controllers still offer the "default controller" feature (see this comparison page), meaning that it is possible to use an Ingress resource without setting the annotation or
ingressClassName
. Does it mean that the OpenShift Ingress Controller team says that ingress-gce's default controller isn't supported by OpenShift anymore? - It is possible to default the
ingressClassName
to some dummy value on Issuers or Ingress resources using Kyverno (or a custom controller), but it feels like a work around.
Actions:
- Anirudh to ask question (3) to the OpenShift team responsible for the Ingress API, and ask if it's possible to set up a meeting with them and invite me.
- Anirudh to investigate why the OpenShift docs still says "use the
class
field" when it's not recommended by OpenShift. - Anirudh to investigate Kyverno and other policy engines that can mutate objects. An example of Kyverno ClusterPolicy is available in https://cert-manager.io/docs/tutorials/certificate-defaults/.
from cert-manager.
Related Issues (20)
- Should upgrade status managed fields from CSA to SSA when ServerSideApply feature gate enabled HOT 1
- Missing `cmctl` and `kubectl-cert_manager` binaries in GitHub releases HOT 5
- Incomplete regular expression for hostnames HOT 3
- cert manager not issuing certs for one ingress (in work queue no longer exists) HOT 1
- Gateway: Combining HTTPS listener with TLS-termination and TLS listener with TLS-passthrough HOT 4
- Race Condition: Cert-Manager Generates Endless Certificate Requests on Openshift HOT 6
- Web Hook in cert-manager is not working properly. Can anyone please me out. HOT 8
- Solver pod returns 404 error during http01 challenge HOT 5
- v1.12.X release Infinite loop with 2 certs with different keystore settings HOT 4
- Report the use of components with vulnerabilities in cert-manager HOT 3
- I don't understand the purpose of the new tests.
- Confusing messaging when certificate secret name already exist HOT 1
- Optionally write ca.crt to ConfigMap
- Support testing on Kubernetes v1.30 HOT 1
- Feature Request: Add support to set future date as notBefore when requesting for certificate HOT 5
- Regular expression file missing HOT 1
- RFC2136 provider sending wrong domain to DNS server HOT 1
- Email address ignored by cert-manager when its creates CSR
- certificate chain is malformed HOT 2
- 1.14.5 recreated all my certs as the same secret
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.