Comments (10)
@mathianasj Actually, it is not fixed with #84 (although it is fixed in v1.0.0+)
Real issue comes from UpdateFunc
in isAnnotatedSecret
predicate within controller/cainjection/secret_controller.go
It does not actually check if there is annotation on secret at all! Operator then proceeds to flood the logs reconciling every secret on the cluster regardless if it has the required annotation. This also explains the "random" delay - processing all secrets in the cluster simply takes time ;)
If someone wants to fix the v0.1 version, here is a patch (predicate for isAnnotadedSecret backported from more recent version):
From af627038a239aad8a130b3db43009d7bc94657bf Mon Sep 17 00:00:00 2001
From: jjaruszewski <[email protected]>
Date: Wed, 10 May 2023 18:22:24 +0200
Subject: [PATCH] fix/reconciling all secrets in cluster
---
pkg/controller/cainjection/secret_controller.go | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/pkg/controller/cainjection/secret_controller.go b/pkg/controller/cainjection/secret_controller.go
index 8ae1288..da5a9b3 100644
--- a/pkg/controller/cainjection/secret_controller.go
+++ b/pkg/controller/cainjection/secret_controller.go
@@ -49,7 +49,9 @@ func addSecretReconciler(mgr manager.Manager, r reconcile.Reconciler) error {
if newSecret.Type != util.TLSSecret {
return false
}
- return true
+ oldSecretAnn, _ := e.MetaOld.GetAnnotations()[certAnnotationSecret]
+ newSecretAnn, _ := e.MetaNew.GetAnnotations()[certAnnotationSecret]
+ return oldSecretAnn != newSecretAnn
},
CreateFunc: func(e event.CreateEvent) bool {
secret, ok := e.Object.(*corev1.Secret)
--
2.40.1
from cert-utils-operator.
Hi, this is by design. The route gets updated with the contents of the provided secret. If ca.crt is not provided in the secret that is why it is being overwritten. This behavior should be present in the latest version also.
from cert-utils-operator.
See here
from cert-utils-operator.
This secret was not used for a route at all, I did not use any cert utils operator annotation on it.
It should not work like this, the operator should not care about secrets which are not related to it I believe?
This looks like some side effect to me or I do not understand something. The operator should work only then if I use consciously one of the annotations on a secret, a configmap or a route. In this case, I did not.
from cert-utils-operator.
I misread this at first. Would you be able to provide a sample of the cert manager certificate, and an output of the secret for me to review and duplicate the issue. What version of cert-manager do you have deployed?
from cert-utils-operator.
Hmm, I need to apologize. Maybe I had some other problem. I just wanted to be sure and give you all the needed info. So I removed everything and reinstalled again on my different Openshift 3.11 cluster. And now I cannot reproduce the same problem. Maybe I had some weird state in etcd in my test cluster as in the operator logs I can see such errors:
{"level":"error","ts":1603182665.7103422,"logger":"controller_ca_injection","msg":"unable to retrive ca from secret","secret":"my-test-project4/testdejw-tls","error":"Secret "testdejw-tls" not found","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/home/travis/gopath/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128\ngithub.com/redhat-cop/cert-utils-operator/pkg/controller/cainjection.(*ReconcileConfigmap).Reconcile\n\t/home/travis/gopath/src/github.com/redhat-cop/cert-utils-operator/pkg/controller/cainjection/configmap_controller.go:133\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/travis/gopath/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/travis/gopath/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/home/travis/gopath/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/home/travis/gopath/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:152\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/home/travis/gopath/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:153\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/home/travis/gopath/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:88"}
The case is the secret mentioned there does not exist anymore and it tried to look for it. Maybe I had recreated such secret before and it had some old state which was not the same and then it tried to sync it (and then ca.crt was removed somehow).
I cannot reproduce it in the second cluster.
from cert-utils-operator.
I am using the latest cert-manager v1.0.3 and cert-utils-operator v0.1.0.
from cert-utils-operator.
Hmm I think I did it - it took more time that I antipicated. So in a second Openshift 3.11 cluster I have cert-manager v1.0.3 and cert-utils-operator v0.1.0. In one of my namespace I created local Issuer and later Certificate. And I just let them be there for a while. After some time (I checked it again after 1 hour) 'ca.crt' from the generated secret was removed. If I do the same later but without cert-utils-operator (uninstalled) then this takes no place anymore. I added yaml's with the issuer and the certificate and also with generated secret (with ca.crt inside).
issuer.txt
certificate.txt
created-secret.txt
from cert-utils-operator.
We also run cert-utils-operator v0.1.0 on OCP 3.11 and have seen this behavior. Since we do not have cert-manager installed, I do not think this bug has anything to do with cert-manager.
from cert-utils-operator.
@dejwsz I believe this should be fixed with #84
from cert-utils-operator.
Related Issues (20)
- Possible Issue stemming from null password on keystore
- Problem with certificate in route sinced a changed has been made in cert-manager HOT 12
- Ability to create truststore from Operator controlled Secrets HOT 3
- Unable to stop expiry alert HOT 7
- false alerts HOT 1
- Helm installation is broken
- generating the truststore in an new secret of type Opaque HOT 3
- unable to update route error HOT 3
- ConstraintsNotSatisfiable - V1.3.9 HOT 3
- Missing webhook-server-cert Secret when installed with Helm HOT 1
- Cert-Manager vs. OpenShift Service serving-cert-secret-name Annotation (1.3.9) HOT 6
- ServiceMonitor contains a hard-coded serverName that assumes the operator namespace is cert-utils-operator HOT 22
- Ability to inject openshift-service-ca.crt ConfigMap as route destinationCACertificate
- truststore.jks in ConfigMaps updated on every pod restart HOT 10
- Image is out of date HOT 3
- Problem with high memory consumption on kube-apiserver HOT 2
- Operator logs access token HOT 6
- Dependency Dashboard
- It should be possible to use multiple source-ca-keys to generate a truststore
- regarding storing CA bundle in a secret to populate route certificates in openshift HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-utils-operator.