Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: would like to disable cert-manager, but I still check Cert when starting the service #492

Open
shicli opened this issue Jul 28, 2023 · 3 comments
Open

[Bug]: would like to disable cert-manager, but I still check Cert when starting the service #492

shicli opened this issue Jul 28, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@shicli
Copy link

shicli commented Jul 28, 2023
edited

What happened?

I am deploying the jaeger-operator1.47.0 through helm-charts1.46.0 and would like to disable cert-manager as we have our own TLS service. But I disabled them in Value, but I still check Cert when starting the service. May I know how to handle this change?

Disable webhooks and certificates via values.yaml

certs:
  issuer:
    create: false
    name: ""
  certificate:
    create: false
    namespace: "" 
    secretName: ""
    issuerKind: Issuer

webhooks:
  mutatingWebhook:
    create: false
  validatingWebhook:
    create: false
    port: 9443
  service:
    annotations: {}
    create: false
    name: ""

Expected behavior

I disabled them in Value, but I still check Cert when starting the service. May I know how to handle this change?

Relevant log output

  Warning  FailedMount  50s (x10 over 5m)    kubelet            MountVolume.SetUp failed for volume "cert" : secret "jaeger-operator-service-cert" not found
  Warning  FailedMount  42s (x2 over 2m57s)  kubelet            Unable to attach or mount volumes: unmounted volumes=[cert], unattached volumes=[cert kube-api-access-7bkf8]: timed out waiting for the condition

Version (please complete the following information):

helm-charts1.46.0
jaeger-operator1.47.0
Kubernetes v1.23
liunx

helm install jaeger jaeger-operator -n observability
@shicli shicli added the bug Something isn't working label Jul 28, 2023
@shicli shicli mentioned this issue Jul 28, 2023
Open
@shicli
Copy link
Author

shicli commented Aug 4, 2023
edited

@czomo @mjnagel ,I am deploying Jaeger-operator 1.47 through helm-chart 1.46 and I would like to disable certificate manager as we have our own TLS platform. is it feasible?
During deployment, it was found that even if valus is set to false, pod startup still looks for certs, resulting in pod startup failure.

@klinch0
Copy link

klinch0 commented Dec 9, 2023
edited

solution:

cat <<EOF | cfssl genkey - | cfssljson -bare server
{
 "hosts": [
   "kubernetes.default.svc.cluster.local",
   "10.96.0.1"
 ],
 "key": {
   "algo": "ecdsa",
   "size": 256
 }
}
EOF

cat <<EOF | kubectl apply -f -
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: kubernetes.default
spec:
  request: $(cat server.csr | base64 | tr -d '\n')
  signerName: example.com/serving
  usages:
  - digital signature
  - key encipherment
  - server auth
EOF

2.1) kubectl certificate approve test-kube-api

cat <<EOF | cfssl gencert -initca - | cfssljson -bare ca
{
  "CN": "My Example Signer",
  "key": {
    "algo": "rsa",
    "size": 2048
  }
}
EOF

echo "
{
    "signing": {
        "default": {
            "usages": [
                "digital signature",
                "key encipherment",
                "server auth"
            ],
            "expiry": "876000h",
            "ca_constraint": {
                "is_ca": false
            }
        }
    }
}
" >> server-signing-config.json

kubectl get csr kubernetes.default -o jsonpath='{.spec.request}' | \
  base64 --decode | \
  cfssl sign -ca ca.pem -ca-key ca-key.pem -config server-signing-config.json - | \
  cfssljson -bare ca-signed-server

kubectl get csr kubernetes.default -o json | \
jq '.status.certificate = "'$(base64 ca-signed-server.pem | tr -d '\n')'"' | \
kubectl replace --raw /apis/certificates.k8s.io/v1/certificatesigningrequests/kubernetes.default/status -f -

kubectl get csr kubernetes.default -o jsonpath='{.status.certificate}' \
    | base64 --decode > server.crt

kubectl create secret tls jaeger-operator-service-cert --cert server.crt --key server-key.pem

@shicli
Copy link
Author

shicli commented Mar 27, 2024

@klinch0 thx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shicli @klinch0