Certificates created by TLSPolicy should be cleaned up

[pehala]

Currently, TLSPolicy is only responsible for creating certificates, however, after this step they are there forever even when the Gateway is deleted. This does not seem right, as the reason why someone would use TLSPolicy is to remove any need of managing the certificates or caring about their lifecycle.

My proposal is to have Certificates created by TLSPolicy be removed when Gateway or TLSPolicy is removed.

[mikenairn]

Presumably you mean secrets here? If Certificates aren't being removed then it's a bug.

re. secret removal, you can configure certmanager to do this see https://cert-manager.io/v1.1-docs/usage/certificate/#cleaning-up-secrets-when-certificates-are-deleted

Since TLSPolicy doesn't create the secrets I'm not sure if it should delete them, or take ownership of them. If we did want a per policy/certificate/issuer means of optionally cleaning up secrets it might be better as something we suggest as an improvement to cert manager itself?

[pehala]

Thanks, I will try the option out, also yes I did mean secret, sorry for the confusion.

Regarding the CM option, since we install it as part of OLM install, you cannot really override it permanently (it will get overriden), but since we might be moving to a different installation method we could document how to change it there.

[philbrookes]

As this is specific to the cert manager, it's the responsibility of the user to configure it correctly.

[pehala]

Well, the cert manager is currently installed and configured by Kuadrant