search

redhat-cop / cert-utils-operator

Set of functionalities around certificates packaged in a Kubernetes operator
Apache License 2.0
95 stars 35 forks source link

Generate keystore.jks on OpenShift serving-cert secrets #114

Closed vinzent closed 2 years ago

vinzent commented 2 years ago

Some java apps here want to use the OpenShift service serving cert feature. We already use the cert-utils-operator for secret to OpenShift route injection,

A service annotated with service.beta.openshift.io/serving-cert-secret-name: <secret name> will produce a <secret name> secret with tls.key + tls.crt and type kubernetes.io/tls. I annotated this secret with cert-utils-operator.redhat-cop.io/generate-java-keystores: "true". Unfortunately nothing happens. The cert-utils-operator container doesn't show anything helpful in the logs.

I discovered that the OpenShift generated Secret has an ownerReference section pointing to the service with the service.beta.openshift.io/serving-cert-secret-name annotation. Once I remove it, the keystore.jks will be injected by the cert-utils-operator. I suspect the operator-sdk is rejecting to update this resource with some other "owner".

raffaelespazzoli commented 2 years ago

I believe that the problem you are seeing is that the service-cert operator overwrites the cert-utils operator. The problem is not the fact that the secret resource has an owner.

On Thu, Feb 10, 2022 at 10:33 AM Thomas Mueller @.***> wrote:

Some java apps here want to use the OpenShift service serving cert feature. We already use the cert-utils-operator for secret to OpenShift route injection,

A service annotated with service.beta.openshift.io/serving-cert-secret-name: will produce a secret with tls.key + tls.crt and type kubernetes.io/tls. I annotated this secret with cert-utils-operator.redhat-cop.io/generate-java-keystores: "true". Unfortunately nothing happens. The cert-utils-operator container doesn't show anything helpful in the logs.

I discovered that the OpenShift generated Secret has an ownerReference section pointing to the service with the service.beta.openshift.io/serving-cert-secret-name annotation. Once I remove it, the keystore.jks will be injected by the cert-utils-operator. I suspect the operator-sdk is rejecting to update this resource with some other "owner".

— Reply to this email directly, view it on GitHub https://github.com/redhat-cop/cert-utils-operator/issues/114, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPERXETBWTFRHCAME4RBRDU2PLGBANCNFSM5OBDO6FA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: @.***>

-- ciao/bye Raffaele

vinzent commented 2 years ago

Yes. that's just what I figured out now too. The service-ca operator is reverting addition.

so, definitively no cert-utils-issue. Closing. :)