Graduate SecretsFilteredCaching feature gate to beta

[irbekrm]

This is a placeholder issue to gather people's feedback on SecretsFilteredCaching alpha feature

If you are using the secrets filtered caching and would like it to graduate to beta and eventually be enabled in GA, please add a comment about your usage experience:

• the size of your cert-manager installation (the number of issuers, certificates etc)
• issuer types and whether you labelled any issuer secrets with controller.cert-manager.io/fao label
• the issuance patterns (how many certs/issuers are likely to be created/renewed/updated simultaneuously
• the number of large cert-manager unrelated Secrets in cluster (i.e Helm release secrets)
• whether you've observed memory improvements for cert-manager controller
• whether you've observed slowdown of issuance

https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md
#5824

/kind cleanup

[jetstack-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

[jetstack-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

[irbekrm]

/remove-lifecycle stale

[irbekrm]

/remove-lifecycle rotten

[antstacks]

Customer upgraded to v1.13 to meet some additional requirements, but this change caused some unwarranted renewal of certificates because it was "missing" the label. Is this the intended behavior of this change? Was there a setting to prevent this from automatically renewing certificates?

[inteon]

EXTRA INFO: this feature was promoted to Beta in 1.13: #6298

[finnribm]

We recently upgraded one of our instances to v1.13.2 and found that it reissued one of our CA certs and one of the certs that it signed, but not 10 others also signed by the CA. This resulted in a bit of a mess due to poor dependency processing on our side.

We tracked down the cause to this issue - nice spec write up by the way. We have several more instances due to be upgraded soon.

Can I simply add the label controller.cert-manager.io/fao to any cert-manager managed secrets that don't have it? Or do I need to add it to any other objects as well?

The spec says "Users will have to ensure that Secrets they create are labelled. We can help them to discover which Secrets that are currently deployed to cluster and need labelling with a cmctl command."

Is that help available yet? Thanks.

[inteon]

@finnribm Normally, if you upgrade to a v1.12.x version before upgrading to v1.13, all secrets should be automatically labeled by the cert-manager controller. Alternatively, adding the controller.cert-manager.io/fao label would work too.

IMPORTANT: See #6494 (comment) for more info about this issue and how to prevent it.
Please let us know if that comment does not work for you by leaving a comment there.

[inteon]

EXTRA INFO: this feature was promoted to Beta in 1.13: #6298