Cert-Manager vs. OpenShift Service serving-cert-secret-name Annotation (1.3.9)

[vinzent]

I've configured enableCertManager=true in my helm values.

I discovered the Service cert-utils-operator-controller-manager-metrics-service has the service.alpha.openshift.io/serving-cert-secret-name: cert-utils-operator-certs annotation.

and additionally the Certificate resource metrics-serving-cert is created which also points to the secret cert-utils-operator-certs.

Now the openshift service-ca controller and Cert-Manager fight to manage the secret.

[vinzent]

I've got 14'000 CertificateRequest resources. 🚀

[raffaelespazzoli]

ok, thanks for reporting this. We expect people using OCP to install via OLM and people using other kube distributions to install via helm. We don't test helm on OCP. thanks for the finding.

[vinzent]

unfortunately, we only have access to Certified and Marketplace operators. but not community operators.

[raffaelespazzoli]

can you use enableCertManager=false ?

[vinzent]

can you use enableCertManager=false ?

The root cause for using enableCertManager=true was that the deployment references a secret webhook-server-cert which is not created without (related: #132)

[whitelion-github]

Add the same problem. A major one ! It have generated so much certificaterequest that it cause etcd problem (grownth and performance) and make some of our clusters to crash because openshift-kube-apiserver was overhlem.

Need to document helm installation with openshift and set a flag to disable use of service serving certificate in service.

template : v1_service_cert-utils-operator-controller-manager-metrics-service.yaml
Add a test, if .Values.enableCertManager is true, don't add anotation in service (to use service serving certificat)