Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Remove Cert-manager as a dependency of redis-operator #166

Open
Routhinator opened this issue Oct 16, 2023 · 8 comments
Open

[BUG] Remove Cert-manager as a dependency of redis-operator #166

Routhinator opened this issue Oct 16, 2023 · 8 comments
Labels
bug Something isn't working

Comments

@Routhinator
Copy link

#129 (comment)

As per my comment here, this chart unexpectedly installed a SECOND cert-manager instance in my cluster without mentioning such in the docs.

A redis operator should not be prescribing certificate management or installing cert-manager into clusters where cert-managers already exist. This caused two instances of cert-manager to war over certificates in my cluster, exhausting API requests to letsencrypt and breaking applications for multiple domains for the next week while I wait for the api limit to cool off.

This needs to be removed. If this chart needs certificate requests, it should add requests, and DOCUMENT the need for cert-manager

@Routhinator Routhinator added the bug Something isn't working label Oct 16, 2023
@shubham-cmyk
Copy link
Member

which chart version are you using because cert-manger is disabled on the default.

@Routhinator
Copy link
Author

I had upgraded to 0.15.0 and ended up with the second cert-manager instance. Looking at 0.15.9 now to see if it does the same.

@Routhinator
Copy link
Author

Routhinator commented Oct 16, 2023

Doesn't look like 0.15.9 does it. Which is good.

My point with this issue still stands though. cert-manager is a very core requirement of a cluster - it's needed for ingress and a number of different apps - the scenarios where it will not already be part of a cluster by the time someone is adding redis should be slim. Making this a dependency of this chart is an anti-pattern and I cannot see good practice coming from this choice.

Adding an option to create a certificate request or define the cert-issuer name for cert-requests in the chart makes good sense and is a good pattern. Installing cert-manager - not so much.

@shubham-cmyk
Copy link
Member

Doesn't look like 0.15.9 does it. Which is good.

https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/redis-operator/templates/cert-manager.yaml#L1
The installation of certificates is not enabled in the values.yaml
also cert-manger should not be installed anyway here :
https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/redis-operator/Chart.yaml#L28

The default is marked false

https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/redis-operator/values.yaml#L54

@shubham-cmyk
Copy link
Member

chart makes good sense and is a good pattern. Installing cert-manager - not so much.

This point seems to be valid. I could consider dropping the dependency here.

@genofire
Copy link
Contributor

could we create an option to just deploy the Certificate (and use an own clusterissuer)?

@egorksv
Copy link

egorksv commented Jan 30, 2024

Same here - please separate "certmanager.install" and "certmanager.enable", we are running our own cert manager and only want certmanager CRD Resources to be installed

omniproc pushed a commit to omniproc/helm-charts that referenced this issue Apr 22, 2024
omniproc pushed a commit to omniproc/helm-charts that referenced this issue Apr 22, 2024
Signed-off-by: Robert Ruf <robert.ruf@mail.schwarz>
@omniproc
Copy link

I added the suggested values to the chart to separate install from usage. However in our case we're using this chart in Flux and Flux seems to ignore the dependency condition and always tries to reach out to look up the cert-manager chart, which fails in an airgapped environment.

My suggestion would be to remove the cert-manager dependency all together and simply have the "enable" flat which will create the cert-manager CRs. In my opinion it's up to the user to make sure cert-manager is available or to provide the path to a certificate created by other means. Having cluster-wide dependencies in individual parts is a broken idea, imho. This obviously can only work in a very hypothetical 1-chart-per-cluster world and will likely break in any other scenario.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

5 participants