search

cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
https://cert-manager.io/docs/projects/trust-manager/
Apache License 2.0
242 stars 65 forks source link

Bundle is continuously synced when PKCS12 is enabled #259

Closed bmhughes closed 7 months ago

bmhughes commented 8 months ago

When the PKCS12 additional format is enabled trust-managed is continuously syncing the ConfigMaps and ultimately filling up etcd with old versions, compacting and defragging etcd results in it filling back up to several GB size within 15 minutes or so.

Nothing in the logs to suggest why (even with the logging level set to 5) and the logs indicate a successful sync but it fires a sync every seconds or so, stops as soon as I remove the PKCS12 format from the Bundle. Not happening with JKS.

K8s 1.27.7 - RKE2 trust-managed 0.7.0 - Installed from Helm

erikgb commented 8 months ago

@bmhughes, thanks for registering this issue. I am taking a look.

/assign

mnlipp commented 7 months ago

I can confirm this. Eventually broke my (testing) cluster.

k3s v1.28.3+k3s2 (bbafb86e) trust-managed 0.7.0 - Installed from Helm