vinzent
commented
2 years ago I've got 14'000 CertificateRequest resources. :rocket:
Open vinzent opened 2 years ago
vinzent
commented
2 years ago I've got 14'000 CertificateRequest resources. :rocket:
raffaelespazzoli
commented
2 years ago ok, thanks for reporting this. We expect people using OCP to install via OLM and people using other kube distributions to install via helm. We don't test helm on OCP. thanks for the finding.
vinzent
commented
2 years ago unfortunately, we only have access to Certified and Marketplace operators. but not community operators.
raffaelespazzoli
commented
2 years ago can you use enableCertManager=false ?
vinzent
commented
2 years ago can you use
enableCertManager=false?
The root cause for using enableCertManager=true was that the deployment references a secret webhook-server-cert which is not created without (related: https://github.com/redhat-cop/cert-utils-operator/issues/132)
whitelion-github
commented
1 year ago Add the same problem. A major one ! It have generated so much certificaterequest that it cause etcd problem (grownth and performance) and make some of our clusters to crash because openshift-kube-apiserver was overhlem.
Need to document helm installation with openshift and set a flag to disable use of service serving certificate in service.
template : v1_service_cert-utils-operator-controller-manager-metrics-service.yaml Add a test, if .Values.enableCertManager is true, don't add anotation in service (to use service serving certificat)
I've configured
enableCertManager=truein my helm values.I discovered the Service
cert-utils-operator-controller-manager-metrics-servicehas theservice.alpha.openshift.io/serving-cert-secret-name: cert-utils-operator-certsannotation.and additionally the Certificate resource
metrics-serving-certis created which also points to the secretcert-utils-operator-certs.Now the openshift service-ca controller and Cert-Manager fight to manage the secret.