Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingress labels copied to certificate, causing issues with applysets #6473

Open
kwohlfahrt opened this issue Nov 10, 2023 · 4 comments · May be fixed by #6576
Open

Ingress labels copied to certificate, causing issues with applysets #6473

kwohlfahrt opened this issue Nov 10, 2023 · 4 comments · May be fixed by #6576
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@kwohlfahrt
Copy link

Describe the bug:

I have an ingress for which I am provisioning certificates, with these annotations:

    annotations:
      cert-manager.io/cluster-issuer: staging
      cert-manager.io/private-key-algorithm: ECDSA

The problem is that my certificate ends up with these labels applied to it, which seem to be copied from the ingress resource:

    labels:
      app: keycloak
      applyset.kubernetes.io/part-of: applyset-hKKbb7RbYuU0FpW0aj6J1V02xlxKvG_l7wjuo6REa0U-v1

These copied labels are causing problems because kubectl --prune wants to delete my certificate due to the applyset.kubernetes.io/part-of label. This behaviour doesn't seem to be documented anywhere, and from a Slack discussion seems to be a bug.

Expected behaviour:

I expect the certificate to be created without any labels. If this is not possible for backwards-compatibility reasons, I would like to be able to deny-list certain labels (specifically applyset.kubernetes.io/part-of in my case).

Steps to reproduce the bug:

  1. Install cert-manager with the default static manifests
  2. Create the following ingress resource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycloak
  namespace: keycloak
  labels:
    app: keycloak
  annotations:
    cert-manager.io/cluster-issuer: staging
    cert-manager.io/private-key-algorithm: ECDSA
spec:
  ingressClassName: external
  tls:
    - hosts: ["example.com"]
      secretName: keycloak-tls
  rules:
    - http:
       host: "example.com" 
       paths:
        - path: /
          pathType: Prefix
          backend: { service: { name: keycloak, port: { name: http } } }
  1. Observe that the created Certificate has the same labels as the ingress.

Anything else we need to know?:

From the Slack thread:

Environment details::

  • Kubernetes version: 1.28.2
  • cert-manager version: 1.13.2
  • Install method: static manifests

/kind bug
@jetstack-bot jetstack-bot added the kind/bug Categorizes issue or PR as related to a bug. label Nov 10, 2023
@kwohlfahrt
Copy link
Author

kwohlfahrt commented Nov 10, 2023
edited

In terms of possible solutions, just removing the label copying looks straightforward. If we need to keep this behaviour for backwards-compatibility, I could probably manage a PR to either:

  1. --copy-source-labels=true, which when set to false, doesn't copy any labels
  2. --skip-source-labels, which when set to a comma-separated list of strings will omit those labels on the certificate

Both would solve my issue. I can see the usefullness of applying ingress labels to a certificate, because if the ingress has the label app: foo, then the certificate would also belong to the same app.

@kwohlfahrt kwohlfahrt linked a pull request Dec 29, 2023 that will close this issue
Open
@jetstack-bot
Copy link
Collaborator

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

@jetstack-bot jetstack-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 8, 2024
@kwohlfahrt
Copy link
Author

/remove-lifecycle stale

@jetstack-bot jetstack-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 11, 2024
@cert-manager-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

@cert-manager-prow cert-manager-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow customizing labels copied from ingresses to certificates kwohlfahrt/cert-manager
3 participants
@kwohlfahrt @jetstack-bot @cert-manager-bot