Comments (4)
Summarising our plan of action from today's call:
Scope
The following relates only to the existing cert-manager GatewayAPI support enabled through ExperimentalGatewayAPISupport
feature flag.
Intent
ExperimentalGatewayAPISupport
is currently alpha status for cert-manager. We will make this a "beta" feature flag.
This means the feature will be "on" by default. This signals our intent that what we have right now, is ready for mainstream usage and we are actively looking for feedback from the wider community before graduating to GA. Full definition from website:
Beta: feature is almost stable but might still change in the future. Beta features are enabled by default and can be disabled by the user (if any issues are encountered).
Issue(s)
GatewayAPI CRDs Not Found
Moving this feature to "on" by default would be problematic for many cert-manager users who do not have the relevant CRDs installed in their environment. This is unique as other feature flagged code generally does not require third part Custom Resource Definitions (CRDs). For this reason we will implement a new configuration options / command line parameter, that you must set in order to enable cert-manager to work on Gateway
resources.
We decided against being clever and "detecting" the Gateway CRDs as this would introduce the need to watch and reconcile the presence or absence of those CRDs over time, and potentially introduce many more issues trying to resolve what was present or not at any given time.
It seems most sensible to enable this support when you are confident those CRDs are present in your cluster. You can resolve dependency order using your installation tool(s) of choice, just as you would for anything else.
User Experience
- Those who do not currently use GatewayAPI. No change. It will be off by default.
- Those who do use GatewayAPI currently. Will need to set a new config parameter.
- Those who do not currently use GatewayAPI but enable it in the future, AND set all helm values explicitly. Set new parameter and ensure to update
ExperimentalGatewayAPISupport
option totrue
when upgrading cert-manager, if this is currently set tofalse
Timeline
We aim to include this change in v1.15 of cert-manager.
Potential Future Timeline
We will assess how this goes in 1.15 as a beta feature. We will look to making this core / GA in cert-manager in later versions.
Enhanced features around GatewayAPI
For expanded or new features relating to GatewayAPI we will continue to assess them on a case by case basis, just like any new feature enhancement.
If it proves to be a big / risky change, new functionality may go behind another feature flag in the future.
Smaller changes may just be implemented in regular release cadence.
Feedback / Questions
We will give a summary of this discussion on the next cert-manager bi-weekly call, Thursday 18th April 2024. That call will be recorded for anyone interested.
If you have q's or concerns or want to help drive this feature set, please join that call or feedback on this thread. Or of course, join us in slack.
from cert-manager.
I would like to add another option for transitioning into out-of-the-box support of Gateway APIs; dynamic reconfiguration.
Instead of - or maybe in addition to - controlling Gateway API support through feature gates, cert-manager's components could inspect the available APIs via the discovery client. If gateway.networking.k8s.io
is present, then support it but let explicit user configuration take precedence.
In theory it's simple. cert-manager supports Gateway APIs when they are present, otherwise not. But in practise it's complicated. Is gateway.networking.k8s.io
installed after or before cert-manager? Worse, maybe it's installed while cert-manager rolls out and some of its components see it at start-up others don't. Maybe components continuously look for gateway.networking.k8s.io
and restart themselves when it appears. Yuck!
One of cert-manager's superpowers is its stability. This approach may joepardize it.
I am only reluctantly suggesting this because reconfiguration at runtime has many perils, but it might be worth considering on the path to a world paved with gateways.
from cert-manager.
x-posting key-points from the related Slack 🧵
The docs say there’s limited testing:
🚧 cert-manager 1.14+ is tested with v1 Kubernetes Gateway API. It should also work with v1beta1 because of resource conversion, but has not been tested with it.
When the feature is toggled the controller won’t start unless the Gateway APIs are present.
from cert-manager.
A little feedback from the bi-weekly call yesterday. We have not set a date for 1.15 cert-manager because we want to discuss whether GA for GatewayAPI support is part of that release. There was also a related discussion on release cadence, for another thread.
There will be an open discussion on what GA for GatewayAPI looks like for cert-manager. I'll follow up next week once this is pencilled in. Please make it known if you'd like to be part of that discussion.
One idea I proposed is that we:
- Make what we have now GA.
- Remove the feature flag / add feature flag / do something around the CRDs not being present in clusters.
- Look at a new, "better named" feature flag to have more support around different Route resources, which I think is described more here: https://github.com/cert-manager/cert-manager/blob/master/design/20230601.gateway-route-hostnames.md. Looks like someone has some work around this already here: master...tommie:cert-manager:httproute
from cert-manager.
Related Issues (20)
- cainjector shows usages and non json output, if error appears HOT 3
- jks keystore in secret is removed when a secret is referenced by multiple certificates HOT 5
- Expose metrics for webhook and ca-injector
- When using a keystore.p12, we need to be able to specify the name for the alias HOT 1
- cert-manager-cainjector is looking for ca secret in wrong namespace? HOT 2
- Error nil pointer evaluating interface {}.enabled on Helm chart upgrade to 1.15.0 HOT 5
- Custom keystore filename when onboarding certificate. HOT 1
- nameOverride and fullnameOverride are missing from helm values.yaml HOT 1
- [Helm] add failurePolicy configuration to values.yaml HOT 2
- cert-manager randomly crashes with leader election lost HOT 2
- Challenge getting 404 instead of 200
- Job label in Helm chart of cert-manager shouldn't be templated from chart name HOT 2
- cert manager controller pod showing unknown flag: --cluster-resource-namespace HOT 3
- Support monitoring Traefik IngressRoutes (CRDs) HOT 2
- CRDs not being installed since v1.15.0 HOT 5
- Vault issuer should retry on volatile errors HOT 3
- Add global image repository value to helm values to facilitate private repo and eiliminate need to maintain individual repo image paths
- Route53 Provider Assume Role Error - Missing Region HOT 5
- UI Toolings to help user create and manage certificates
- ClusterIssuer with vault auth and serviceAccountRef Error initializing issuer HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager.