Open asauber opened 1 year ago
that's interesting. cc @gandro to get some clarification in terms of who owns these resources 👀
that's interesting. cc @gandro to get some clarification in terms of who owns these resources eyes
Hm. Very good question. I would say that the resources are owned by certgen. The problem is that it does not have a cleanup functionality.
That means that if we want helm uninstall
removes those resources, we probably would want to have to have helm uninstall
(maybe via some hook magic?) invoke a (to be written) certgen uninstall
job?
I'd also be fine with helm uninstall
just somehow deleting those resources directly (if that's even possible with Helm). But that does have the downside that we would have to synchronize the logic between what certgen creates and what helm deletes.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
When using
cilium clustermesh enable
,cilium install
, orcilium upgrade
in Helm mode, it's possible to specifycronJob
as the TLS mode (a.k.a.certgen
). This indirectly causes secrets to be created which are not owned by Helm.If later
cilium uninstall
is used against the same cluster, those secrets are not removed.Later still, if
cilium upgrade
is used with a different TLS mode, then Helm will bail entirely with:cc @michi-covalent