New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support adding custom annotations to generated secret #2576
Comments
There was some discussion on this previously here: #566 It's not something that we're working at the moment or see as a priority as there are known workarounds for it already, and it'll require special handling for e.g. what if the values have changed/are out of sync. For your use-case (kubed), can you match on one of the existing labels/annotations we already add to Secret resources? |
I've hit this issue a few times myself. We haven't found a solution. We would like to setup our tenant-namespace chart https://hub.helm.sh/charts/pnnl-miscscripts/tenant-namespace to automatically create letsencrypt based wildcard certs for each tenant created. The way we're doing this is to have two namespaces: Do we think it would be a hard feature to add? Is there any opposition to adding the feature, or just lack of hands? Thanks, |
The specific issue/concerns are around:
(1) is probably the harder of these problems to solve - trivially we could have
The questions above are pretty much it :) I don't think this would be particularly tough, aside from the need for updating documentation, writing tests etc. We are also going to be undertaking some ~fairly significant refactoring in the Certificates controller for this release (tracked here: #2691) - this should not impact the feature too much, but worth noting :) /help-wanted |
spec.secretTemplate.metadata.annotations and spec.secretTemplate.metadata.labels would allow for the things we need to be done right now, while leaving room for doing all sorts of things in the future. So sounds good to me.
|
I think the Secret should always reflect its associated Certificate, because the Certificate declares its desired configuration. So these fields should be overwritten in the Secret and should get overwritten again when they are changed behind cert-manager's back. Any extra annotations or data should be left alone, but I think that is already the case (in my ArgoCD setup I noticed cert-manager actually added its TLS data to an existing Secret becaue I used the same name, but did not touch the existing fields). I can't think of a use case where you would expect to keep your changes if you change things by yourself while a k8s operator is actively managing it.
I'd say by annotating the Certificate. Default to false (opt-in) for backward compatibility. The https://github.com/emberstack/kubernetes-reflector project actually does this by looking for its own annotations on a Certificate which will then be copied to a Secret (but I feel this creates an unnecessary inter-project dependency on your API, and would therefore be better style if the cert-manager project itself would handle this on its own CRD). |
What about a kubectl apply style? 3-way merge a copy of the annotations/labels applied by cert-manager is saved in an annotation at the time of application. If the CR is changed, it can compare the annotations/labels in the CR vs the ones that it previously applied. That can allow it to delete annotations/labels that were removed from the CR that were previously managed. It also can ignore annotations/labels added by the user directly to the secret without ever being in the CR. |
Any updates for this? Still a problem for us. |
I also need this. Is there a bounty for it? |
Any objections to adding Just digging through the code real quick, it does not look like it would be very hard to add the functionality? Is it just need to be added here? : |
We also need this for kubed, it makes it really cumbersome to distribute a secret around namespaces if you can't even annotate it. |
@onmyflow We moved from Kubed to https://github.com/emberstack/kubernetes-reflector for this very reason. |
Thanks for the suggestion! I'll try to switch to reflector since all we use kubed for, is to sync secrets anyway. |
Yeah, this looks very promising. Thanks. |
I continue to use Kubed because kubernetes-reflector is not a full replacement; it does not allow syncing between clusters, nor is it possible to create a dummy mirror Secret without valid This feature requirement remains open on cert-manager for me. I'm willing to implement it or potentially fund its implementation, but need @munnerz to acknowledge the suggestion from @kfox1111 before investing time in something that might be rejected. |
For me too +1 |
@munnerz what do you think? |
Do we have an update on this ticket? |
please @michaelgeorgeattard @kfox1111 @leshibily check if the above PR would cover your needs |
Is it possible for |
|
@Kab1r @rikirolly I've created a PR to allow setting |
Is there support for adding custom annotations to generated secret for syncing using kubed or similar?
If not, is this feature in the pipeline?
The text was updated successfully, but these errors were encountered: