suhastm19
commented
1 year ago The problem here is the code logic. Operator removes few entries from TLS secret and creates an opaque CA secret in other namespaces. But it would have been better if just ca.crt entry is taken from the TLS secret instead of deleting other entries and just keeping ca.crt entry.
// We need the CA certificate only
if currentSecret.Type == corev1.SecretTypeTLS {
currentSecret.Type = corev1.SecretTypeOpaque
delete(currentSecret.Data, corev1.TLSCertKey)
delete(currentSecret.Data, corev1.TLSPrivateKeyKey)
if err := controllerutil.SetControllerReference(v, ¤tSecret, r.scheme); err != nil {
return fmt.Errorf("failed to set current secret controller reference: %v", err)
}
} else {
delete(currentSecret.StringData, "server.crt")
delete(currentSecret.StringData, "server.key")
delete(currentSecret.StringData, "ca.key")
delete(currentSecret.Data, "server.crt")
delete(currentSecret.Data, "server.key")
delete(currentSecret.Data, "ca.key")
}
ramizpolic
reshproy
Describe the bug: We are using cert manager to manage the certificates of all vault services in our kubernetes cluster. When we are trying to create a namespace for our services, Banzai is automatically creating secret includes ca cert in that namespace, which is having cert manager annotations in the metadata of the secret resource and cert manager CA injector pod is complains that associated certificates resource with the secret is not present in that namespace.
cert-manager/secret-for-certificate-mapper "msg"="unable to fetch certificate that owns the secret" "error"="Certificate.cert-manager.io \"vault\" not found" "certificate"={"Namespace":"infra","Name":"vault"} "secret"={"Namespace":"infra","Name":"vault-tls"}
Expected behaviour: When distributing CA certs through operator it should not copy the cert manager annotations in the vault tls secrets.
Steps to reproduce the bug:
Additional context: Add any other context about the problem here.
Environment details:
/kind bug