serving icon indicating copy to clipboard operation
serving copied to clipboard

Published 20 hours ago verified publisher icon knative

Propagate the status when a Knative Certificate fails to be created

Open gabo1208 opened this issue 1 year ago • 8 comments

/area networking /kind good-first-issue

Describe the feature

We need to have the required lifecycle methods to know when a Knative Certificate creation have failed. Right now we just have the Ready condition and in the status we haven't implemented all the commented conditions that allows to check if the Cert has failed or is just not ready (https://github.com/knative/networking/blob/main/pkg/apis/networking/v1alpha1/certificate_types.go#L94)

This feature is related to: https://github.com/knative/networking/issues/875

gabo1208 avatar Oct 17 '23 09:10 gabo1208

/assign

xiangpingjiang avatar Oct 17 '23 10:10 xiangpingjiang

hello @gabo1208 Is there any docs to show how to use the Knative Certificate crd ?

xiangpingjiang avatar Nov 14 '23 12:11 xiangpingjiang

Hey @xiangpingjiang they are an internal CR to bridge between Serving and an issuer (like net-certmanager). You should get those certificates if you enable the external-domain-tls feature and install cert-manager, net-certmanager (docs: https://knative.dev/docs/serving/encryption/enabling-automatic-tls-certificate-provisioning/ )

ReToCode avatar Nov 14 '23 12:11 ReToCode

Hey @xiangpingjiang I read your question wrong, thought you were asking for docs on how it works, thanks @ReToCode for answering correctly

old answer still applies to what I understood hehe: but a clue is always check the reconciler, specifically the file that has the resource name: https://github.com/knative/networking/blob/main/pkg/certificates/reconciler/certificates.go

There you can see the creation flow of a certificate, and probably there you can modify its behavior to bubble up underlying resources' status.

Also, feel free to ping me over slack to discuss anything :)!

gabo1208 avatar Nov 14 '23 12:11 gabo1208

Hi @gabo1208 , do you means that we should add more conditions such as Succeeded and put the failure detail into this condition when create failed ?

ckcd avatar Feb 18 '24 08:02 ckcd

/assign

ckcd avatar Feb 18 '24 09:02 ckcd

Sorry the delay @ckcd I also mean that in some point if a certificate is failing we could bubble down to the routes an error that says (certificate is failing)

Also a timeout for it to work

the ´add IsFailed´ PR is a good start, but when a certificate fails and you have to check if it's a certificates fault right now is not user friendly (or obvious) to the en user

gabo1208 avatar Feb 20 '24 10:02 gabo1208

@gabo1208 Thanks for your reply! Next I will try to enhance the status propagate when a certificate fails.

ckcd avatar Feb 22 '24 01:02 ckcd