Open vinzent opened 2 years ago
I've got 14'000 CertificateRequest resources. :rocket:
ok, thanks for reporting this. We expect people using OCP to install via OLM and people using other kube distributions to install via helm. We don't test helm on OCP. thanks for the finding.
unfortunately, we only have access to Certified and Marketplace operators. but not community operators.
can you use enableCertManager=false
?
can you use
enableCertManager=false
?
The root cause for using enableCertManager=true
was that the deployment references a secret webhook-server-cert
which is not created without (related: https://github.com/redhat-cop/cert-utils-operator/issues/132)
Add the same problem. A major one ! It have generated so much certificaterequest that it cause etcd problem (grownth and performance) and make some of our clusters to crash because openshift-kube-apiserver was overhlem.
Need to document helm installation with openshift and set a flag to disable use of service serving certificate in service.
template : v1_service_cert-utils-operator-controller-manager-metrics-service.yaml Add a test, if .Values.enableCertManager is true, don't add anotation in service (to use service serving certificat)
I've configured
enableCertManager=true
in my helm values.I discovered the Service
cert-utils-operator-controller-manager-metrics-service
has theservice.alpha.openshift.io/serving-cert-secret-name: cert-utils-operator-certs
annotation.and additionally the Certificate resource
metrics-serving-cert
is created which also points to the secretcert-utils-operator-certs
.Now the openshift service-ca controller and Cert-Manager fight to manage the secret.