-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: cert-manager duration expects XhYmZs format #273
base: main
Are you sure you want to change the base?
Conversation
4f2b90f
to
e3bc7c7
Compare
It accepts shorter format like Yh, but the mutating webhook, if installed/enabled will convert it to the full format, causing potential endless reconciliation loops with tools like ArgoCD Fixes topolvm#190 Signed-off-by: Philippe M. Chiasson <gozer@ectoplasm.org> Signed-off-by: Philippe M. Chiasson <gozer@lacework.net>
e3bc7c7
to
054bff2
Compare
The reverse is also true, If there is a mutating webhook that converts to a shorter format, The change o this PR can cause endless reconcilation loop. I have checked and argocd works fine with both |
The issue isn't with ArgoCD itself, but rather with cert-manager itself, it requires durations to be in that format, and it's cert-manager's own mutating webhook controller that makes this conversion transparently. So, technically, a |
Thanks for letting me know. I tried to check the output format of cert-manager for the review, but I could not see the above behavior in my environment. It may be a difference in versions, so please tell me which version you tested. Or do I need any options for cert-manager? |
No worries!
The validating/mutating webhook portion of cert-manager is an optional component. I've seen it with cert-manager 1.13.3 as of now. |
I checked my environment, cert-manager is 1.14.4, and the webhook is enabled. Does your environment set additional options for webhooks? I checked the cert-manager code, but could only find a webhook for the CertificateResuest custom resource and could not found logic for Certificate custom resource.
Does this mean it is a external product? |
@gozer I agree with your change, and I am also experiencing this issue when installing the chart via ArgoCD. One small suggestion: instead of hardcoding, it would be nice if we can call it via values.yaml, allowing people to modify it based on their requirements.
|
This pull request has been automatically marked as stale because it has not had any activity for 30 days. It will be closed in a week if no further activity occurs. Thank you for your contributions. |
Thanks! I didn't have time to dig down precisely where it's coming from so I can offer a reproductible test case. At least I am not alone. And yes, making it a value makes a whole lot more sense. I'll fix the PR. |
Via `controller.certificate.duration` Signed-off-by: Philippe M. Chiasson <gozer@ectoplasm.org>
e116b33
to
18f8839
Compare
10d3548
to
52ce7dc
Compare
@gozer |
It accepts shorter format like Yh, but the mutating webhook, if
installed/enabled will convert it to the full format, causing potential
endless reconciliation loops with tools like ArgoCD
Fixes #190