Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cert_manager: Fix Apply ClusterIssuer manifest task failed by removing deprecated ClusterIssuer #8064

Merged
merged 1 commit into from
Oct 11, 2021
Merged

cert_manager: Fix Apply ClusterIssuer manifest task failed by removing deprecated ClusterIssuer #8064

merged 1 commit into from
Oct 11, 2021

Conversation

rtsp
Copy link
Member

@rtsp rtsp commented Oct 8, 2021
edited by floryut
Loading

What type of PR is this?
/kind bug

What this PR does / why we need it:

Task kubernetes-apps/ingress_controller/cert_manager : Cert Manager | Apply ClusterIssuer manifest failed when deploying kubespray with cert-manager add-ons enabled for K8s v1.22.

This failure caused by applying ClusterIssuer with a hard-coded TLS secret from these manifests.

  1. clusterissuer-cert-manager.yml.j2
  2. secret-cert-manager.yml.j2

I'm not sure about the purpose of these 2 files. It's included in 9cc70e9 from #6414 since cert-manager v0.15 and it seems to be deprecated now because it does not exist in later version of cert-manager anymore.

After removing these 2 manifests and its related tasks. Everying is working good again (at least on my cluster).

Which issue(s) this PR fixes:

Fixes #8059

Special notes for your reviewer:

I've tested this patch on my cluster (Debian 11, K8s v1.22, containerd, All add-ons enabled)

Does this PR introduce a user-facing change?:

Fix cert_manager ClusterIssuer manifest by removing deprecated ClusterIssuer

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 8, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @rtsp. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 8, 2021
floryut
floryut approved these changes Oct 8, 2021
View reviewed changes
Copy link
Member

@floryut floryut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test
Nice thanks, I think we need to update cert-manager anyway because the version we have is a bit old

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 8, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: floryut, rtsp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 8, 2021
@rtsp
Copy link
Member Author

rtsp commented Oct 8, 2021

/ok-to-test Nice thanks, I think we need to update cert-manager anyway because the version we have is a bit old

Agreed. I'm looking on how to automate conversion of 33k-lines cert-manager manifests 😂.

@cristicalin
Copy link
Contributor

cristicalin commented Oct 9, 2021
edited
Loading

Agreed. I'm looking on how to automate conversion of 33k-lines cert-manager manifests 😂.

@rtsp for now I have a more manual approach to this by just giving up on the split, I was working on a PR this morning but it's in a rough shape still. I'll wait for this PR to merge before submitting the update for 1.5.4.

@cristicalin
Copy link
Contributor

Also it's worthwhile mentioning that for the cert-manager to become actually useful a deployer would need to create a cluster issuer as a first thing after deployment, this means this PR needs an update in https://github.com/kubernetes-sigs/kubespray/blob/master/docs/cert_manager.md?plain=1#L14-L36

@cristicalin cristicalin mentioned this pull request Oct 9, 2021
Merged
@rtsp
Copy link
Member Author

rtsp commented Oct 10, 2021
edited
Loading

Also it's worthwhile mentioning that for the cert-manager to become actually useful a deployer would need to create a cluster issuer as a first thing after deployment, this means this PR needs an update in https://github.com/kubernetes-sigs/kubespray/blob/master/docs/cert_manager.md?plain=1#L14-L36

Look like this document also need a major revise. I think, for most topics, we can provide links from our docs to upstream cert-manager 0.15 docs to make sure users get completed and updated document.

IMO, we should at least hightlight these topics as I got a lot of question from my users here.

Ingress

  1. https://cert-manager.io/v1.5-docs/usage/ingress/
  2. https://cert-manager.io/v1.5-docs/tutorials/acme/ingress/#step-3-assign-a-dns-name (Skip to Step 3)

ACME

  1. https://cert-manager.io/v1.5-docs/configuration/acme/
  2. https://cert-manager.io/v1.5-docs/tutorials/acme/http-validation/
  3. https://cert-manager.io/v1.5-docs/tutorials/acme/dns-validation/
  4. https://cert-manager.io/v1.5-docs/faq/acme/

@floryut
Copy link
Member

floryut commented Oct 11, 2021
edited
Loading

/cc @champtar @oomichi

@k8s-ci-robot k8s-ci-robot requested a review from chadswen October 11, 2021 13:30
@floryut floryut requested review from champtar and removed request for chadswen October 11, 2021 13:30
@oomichi
Copy link
Contributor

oomichi commented Oct 11, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 11, 2021
@k8s-ci-robot k8s-ci-robot merged commit 6c004ef into kubernetes-sigs:master Oct 11, 2021
@cristicalin cristicalin mentioned this pull request Oct 23, 2021
Merged
@floryut floryut mentioned this pull request Dec 21, 2021
Closed
@rtsp rtsp mentioned this pull request Jan 15, 2022
Closed
7 tasks
@rtsp rtsp mentioned this pull request Mar 24, 2022
Closed
@rtsp rtsp deleted the develop/cert-manager-remove-clusterissuer branch April 12, 2022 13:33
sakuraiyuta pushed a commit to sakuraiyuta/kubespray that referenced this pull request Apr 16, 2022
@rtsp @sakuraiyuta
cert_manager: Remove deprecated ClusterIssuer and its Secret (kuberne…
081223f 
…tes-sigs#8064)
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Jun 27, 2023
@rtsp @LuckySB
cert_manager: Remove deprecated ClusterIssuer and its Secret (kuberne…
2233c08 
…tes-sigs#8064)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@floryut floryut floryut approved these changes

@holmsten holmsten Awaiting requested review from holmsten

@oomichi oomichi Awaiting requested review from oomichi

@champtar champtar Awaiting requested review from champtar

Assignees

@oomichi oomichi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cert-manager jobs are failing with unknown root CA error
5 participants
@rtsp @k8s-ci-robot @cristicalin @floryut @oomichi