request-cert no longer works as of Kubernetes 1.22

[chrisseto]

As of Kubernetes 1.22, certificates.k8s.io/v1beta1 is no longer being served.

The request-cert container/binary uses the v1beta1 API and will fail to create a CSR in newer Kubernetes clusters:

failed to get certificate: CertificateSigningRequest.Create(%s) failed: the server could not find the requested resource

To mitigate this issue, we'll have to upgrade to certificates.k8s.io/v1 and drop support for Kubernetes < 1.19.

[nyarly]

Cockroach docs seem to strongly imply that the project is (correctly) dropping support for this approach, in favor of using something like cert-manager. Updating to 1.22 should also include directions about e.g. how to use cert-manager as the signer for the v1 CSR resource.

[nyarly]

Aside: I'm in the process of converting our request-cert process to using vault-agent instead.

[chrisseto]

@nyarly could you cite the docs that suggest using cert-manager? Our technical writer says there's no reference to cert-manager in in our documentation.

We are dropping support for this approach and will be removing this container once we've settled on an acceptable alternative.

[nyarly]

Reviewing, I was taking that from the helm chart, which dropped support for request-cert in favor of cert-manager or a self signed thing that liked kind of hacky