flink-on-k8s-operator icon indicating copy to clipboard operation
flink-on-k8s-operator copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Support cert-manager for admission webhooks

Open elanv opened this issue 5 years ago • 6 comments
trafficstars

In order to automatically renew certificates, cert-manager is widely used in the k8s production environments. I think we should support cert-manager for webhooks.

elanv avatar Mar 17 '20 02:03 elanv

Originally it is supported, then replaced by the current approach, we can consider adding it back as an option.

functicons avatar Mar 17 '20 03:03 functicons

I think it don't need support cert-manager , It is too heavy for operator. So If you used this ,you neen maintained it? we have use this operator in product env, and delete the cert-manager.

Mrart avatar Apr 03 '20 08:04 Mrart

cert-manager is not mandatory, but some users might want to use it for the reasons mentioned by @elanv.

functicons avatar Apr 03 '20 20:04 functicons

We use cert-mananger in our operating environment. It seems very cumbersome to remember and manually renew the expiration of many certificates without cert-mananger on a large cluster.

elanv avatar Apr 03 '20 23:04 elanv

I thought using cert manager was the recommended way to generate certificates for webhooks with kubebuilder built CRDs?

It is too heavy for operator

Could you say more? It looks like it was removed in #167 but the PR doesn't provide much information about why it was removed?

jlewi avatar Jun 22 '21 17:06 jlewi

I also agree that cert-manager should be used for webhook certificates. It is too much of a burden to manually maintain certificates across multiple clusters. It may not be instant, but K8S is self healing and will recover once the certificates are ready, unlike when the chart release is updated. This breaks certificates and requires manual intervention.

stylius avatar Jul 02 '21 06:07 stylius