Closed dpkirchner closed 3 years ago
It is impossible to update the underlying GCP SslCertificate object; instead the current one must be deleted and a new one created from scratch. This is what the automation tries to do, however it can't proceed until the current underlying GCP certificate is released.
It was considered to implement an admission controller that would block updates to ManagedCertificate, however it would require a significant amount of work, and the decision was not to do it.
Ok, thanks.
Adding a domain to the domains array in a
ManagedCertificate
object doesn't update the certificate, instead an error is logged (visible inkubectl get events
):My
ManagedCertificate
object (sansmanagedFields
, etc):The certificate is indeed in use, however I expected to be able to add a new domain to the certificate. IIRC, this worked a long while back, but I don't remember exactly when (unfortunately).
If this is intended I'd like to request an update to the controller that either rejects the attempt to add a domain to the list or shows the error in the
ManagedCertificate
status object.