-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: cert-manager.io/cluster-issuer annotation does not work for AWSPCAClusterIssuer #252
Comments
If this is somehow the intended behavior - then it doesn't make much sense.
This does not seem to be formally documented nor tested. |
Thank you for raising this issue with the AWS Private CA Issuer plugin. We will review your submission and respond back to you here as soon as possible. |
Hello @brsolomon-deloitte, thanks for raising this issue, I have been looking into this and am trying to reproduce it on our end. Can you post the Ingress resource you’ve tested this with (a sample definition file is fine). May be an obvious ask but, after reading the cert-manager source code, you cannot specify a cluster-issuer at the same time as specifying a kind or a group. https://github.com/cert-manager/cert-manager/blob/706ad574b9bb7669ae94d293d4136cc37cb7d09f/pkg/controller/certificate-shim/sync.go#L705-L715 |
I was able to test this offline, and I can confirm that even with just the
For reference, here is the yaml file I applied in order to get those messages.
There is a biweekly sync with cert-manager happening tomorrow, we'll raise this issue with them and get guidance on how to resolve it with them. There may need to be some support on cert-manager's side to make this work correctly. |
Seems like you've been able to reproduce exactly what we are seeing, e.g. that a |
Leaving some more notes in here, plan to present to cert-manager weekly meeting: This is related to the securing ingresses feature of cert-manager. For our aws-privateca-issuer, only
Basically, we are not able to get the ingress to automatically obtain a cert in the case of a cluster-issuer. |
OK, while convoluted (and I think you alluded to this in your original comment), you can get around this limitation by specifying the cluster-issuer in the
|
One question to you @brsolomon-deloitte is: while this is not ideal, does the potential workaround of specifying the cluster issuer in the Put another way: if this was fixed, does it unblock/enable any more functionality for your use cases, or can you use the workaround to do everything you need? |
Yes, we realize that using Either way, thanks for laying out the details and giving attention to this issue. |
PR to cert-manager docs to clarify the behaviour cert-manager/website#1203
Do let us know if the updated docs make sense |
Looks alright to me. |
Thanks for creating this issue @brsolomon-deloitte and thank you @irbekrm for the help in fixing the documentation! I am closing this issue now. |
Describe the expected outcome
The
cert-manager.io/cluster-issuer
annotation forIngress
should be allowed to point to aAWSPCAClusterIssuer
.Describe the actual outcome
To refer to a
AWSPCAClusterIssuer
, cert-manager only recognizescert-manager.io/issuer
and notcert-manager.io/cluster-issuer
.This is counter-intuitive given that
cluster-issuer
is supposed to point to a non-namespaced resource.https://cert-manager.io/docs/usage/ingress/#supported-annotations
Steps to reproduce
AWSPCAClusterIssuer
Ingress
and annotate it withcert-manager.io/cluster-issuer
The result is that nothing happens at all - the annotation is effectively ignored.
Relevant log output
No response
Version
1.2.4
Have you tried the following?
Category
Other
Severity
Severity 3
The text was updated successfully, but these errors were encountered: