search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.08k stars 437 forks source link

The "gateway-validation-cert" not cleaned up after uninstalling a helm release #6212

Open rinormaloku opened 2 years ago

rinormaloku commented 2 years ago

Gloo Edge Version

1.11.x (beta)

Kubernetes Version

No response

Describe the bug

After uninstalling the helm release the secret gateway-validation-cert is not cleaned up

Steps to reproduce the bug

kubectl create ns gloo-system
helm install gloo glooe/gloo-ee --namespace gloo-system --version 1.10.15 --set-string license_key=$LICENSE_KEY_EDGE 

## Wait

helm uninstall gloo -n gloo-system

Now query the secrets:

kubectl get secrets -n gloo-system                                                                                                                        

NAME                       TYPE                                  DATA   AGE
certgen-token-8pj9s        kubernetes.io/service-account-token   3      5m46s
default-token-9hxt6        kubernetes.io/service-account-token   3      14m
gateway-validation-certs   kubernetes.io/tls

Expected Behavior

Expected result: The gateway-validation-certs secret is cleaned up.

Additional Context

Actual result: It is not.

Why might this be important?

A client of ours reported that this is causing issues when the CA changes and the secret needs to be manually removed:

Error: Internal error occurred: failed calling webhook "gateway.gloo-system.svc": Post "[https://gateway.gloo-system.svc:443/validation?timeout=10s](https://gateway.gloo-system.svc/validation?timeout=10s)": x509: certificate signed by unknown authority
Azahorscak commented 1 year ago

I see the same behavior on enterprise chart v1.14.6.

github-actions[bot] commented 4 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.