kubernetes
cert-manager: feature gates are not applied to webhook
/kind bug
When setting feature gates for cert-manager in the kops configuration, kops adds command line parameters to the cert-manager controller but not to the other components. This means that some feature gates actually do not take full effect. For example if you enable the feature gate to allow the additionalFormats to be specified, it will be rejected by the webhook because it does not have the feature gate enabled even though the controller will support the extra formats and issue the certificates.
Also, the feature gates that are accepted by the different components are not necessarily the same, so the logic for adding feature gates has to take into account which feature gates can be safely passed through to which components.
See also:
- https://github.com/kubernetes/kops/issues/16498#issuecomment-2114292512
- https://cert-manager.io/docs/installation/configuring-components/#feature-gates
- https://github.com/cert-manager/cert-manager/blob/master/internal/controller/feature/features.go
- https://github.com/cert-manager/cert-manager/blob/master/internal/webhook/feature/features.go
- https://github.com/cert-manager/cert-manager/blob/master/internal/cainjector/feature/features.go
(Cc @hakman , @MTRNord)
Maybe worth noting that in cert-manager's helm charts they decided to use separate options for the webhook feature gates instead of trying to use a single feature gate for both. Probably the right way to go with kops as well for simplicity.
@dobesv I think the main issue regarding cert-manager version has been addressed. Would you like to try and submit a PR for adding the option to set feature gates for the webhook, maybe also for the cainjector?