cert-manager: add trusted internal ca when configured #8135
Conversation
k8s-ci-robot
added
kind/feature
|
Hi @infra-monkey. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
the
size/S
|
Hi @infra-monkey |
|
@oomichi Hi, Extracted from the issuer crd definition (https://github.com/jetstack/cert-manager/blob/master/deploy/crds/crd-issuers.yaml#L141): This is the only "official" reference I could find about this feature. |
|
@infra-monkey Thank you so much for your explanation, I got it. /ok-to-test |
k8s-ci-robot
added
ok-to-test
k8s-ci-robot
added
the
lgtm
|
@oomichi thank you for the approval. I put "none" for the user facing change. As there is a new option in the inventory, should I specifiy it there? |
That is a nice point. or something. |
|
@oomichi a vagrant job failed in the pipeline. How can I restart the tests? |
|
@infra-monkey would you mid updating https://github.com/kubernetes-sigs/kubespray/blob/master/docs/cert_manager.md with some details on the new variable and the intended purpose? |
Great point. I'll do that. I hope my english will be good enough. |
k8s-ci-robot
added
size/M
|
It might be a good idea to rebase your branch on latest master since the CI job is complaining about failing to merge your doc changes. |
|
@cristicalin Rebased from master. It bring a lot of changes from master that have nothing to do with this change. CI fails, but because it can't pull containers. |
|
The relevant failure on the CI is this: https://gitlab.com/kargo-ci/kubernetes-sigs-kubespray/-/jobs/1735187854#L40 Your PR now brings is some changes from the master branch which means the rebase was somehow broken. Usually, the way I do this is like this: |
infra-monkey
force-pushed
the
cert_manager_trusted_internal_ca
branch
from
e54924f to
d81e0e1
Compare
k8s-ci-robot
added
size/S
|
Unfortunately it seems our CI python was pushed to 3.10 and is now breaking in interesting ways. I pushed a fix #8153 but there may be other breakage. |
infra-monkey
force-pushed
the
cert_manager_trusted_internal_ca
branch
from
520dc40 to
e67652c
Compare
I just saw that. I'll wait for you PR to be merged in master and include it here. |
Merged now you can rebase 👍 |
|
I cherry picked the CI fix. |
|
@oomichi @cristicalin @floryut Seems the pipeline fails on a timeout downloading a file. |
yup there is an issue with calico release, I've submitted a PR and I'm trying to get in touch with Calico maintainers to understands what the f** happened |
I have seen your PR. Indeed it is strange that the hash would change without a version change. |
|
@infra-monkey #8157 just merged, please rebase and lets try this run one more time. |
|
YEAH ! It finally passed! |
Current pull request is not rebased yet, it just contains necessary commits in the pull request. |
infra-monkey
force-pushed
the
cert_manager_trusted_internal_ca
branch
from
0265fe3 to
aab7952
Compare
|
@oomichi I didn't think you wanted a full rebase before merge. I misunderstood the request to rebase. |
|
@infra-monkey it is the norm to have only your commits in a PR unless you are doing backports to older branches. This is needed to keep the git commit history clean and also to avoid issues when github squashes the commits in the final merge. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cristicalin, floryut, infra-monkey The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Thank you all for the guidance and patience :) |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
…s#8135) * cert-manager: add trusted internal ca when configured * wrong check for inventory variable * Update documentation
…s#8135) * cert-manager: add trusted internal ca when configured * wrong check for inventory variable * Update documentation
What type of PR is this?
/kind feature
What this PR does / why we need it:
In order to use an acme issuer with an internal authority, the CA of the authority must be trusted by cert-manager.
If not, the issuer with throw errors saying the certificate of the acme uri is unknown.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
I tried to keep it simple.
One additional variable in the addon inventory to specify the trusted internal ca.
A configmap is create with the content of the ca.
This configmap is mounted in the cert-manager container in /etc/ssl/certs in order to be trusted.
As not everyone will use acme with an internal authority, the cm and mount are not defined if the variable is not defined.
Does this PR introduce a user-facing change?: