-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Remove Cert-manager as a dependency of redis-operator #166
Comments
which chart version are you using because cert-manger is disabled on the default. |
I had upgraded to |
Doesn't look like 0.15.9 does it. Which is good. My point with this issue still stands though. cert-manager is a very core requirement of a cluster - it's needed for ingress and a number of different apps - the scenarios where it will not already be part of a cluster by the time someone is adding redis should be slim. Making this a dependency of this chart is an anti-pattern and I cannot see good practice coming from this choice. Adding an option to create a certificate request or define the cert-issuer name for cert-requests in the chart makes good sense and is a good pattern. Installing cert-manager - not so much. |
https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/redis-operator/templates/cert-manager.yaml#L1 The default is marked https://github.com/OT-CONTAINER-KIT/helm-charts/blob/main/charts/redis-operator/values.yaml#L54 |
This point seems to be valid. I could consider dropping the dependency here. |
could we create an option to just deploy the Certificate (and use an own clusterissuer)? |
Same here - please separate "certmanager.install" and "certmanager.enable", we are running our own cert manager and only want certmanager CRD Resources to be installed |
Signed-off-by: Robert Ruf <robert.ruf@mail.schwarz>
I added the suggested values to the chart to separate install from usage. However in our case we're using this chart in Flux and Flux seems to ignore the dependency condition and always tries to reach out to look up the cert-manager chart, which fails in an airgapped environment. My suggestion would be to remove the cert-manager dependency all together and simply have the "enable" flat which will create the cert-manager CRs. In my opinion it's up to the user to make sure cert-manager is available or to provide the path to a certificate created by other means. Having cluster-wide dependencies in individual parts is a broken idea, imho. This obviously can only work in a very hypothetical 1-chart-per-cluster world and will likely break in any other scenario. |
#129 (comment)
As per my comment here, this chart unexpectedly installed a SECOND cert-manager instance in my cluster without mentioning such in the docs.
A redis operator should not be prescribing certificate management or installing cert-manager into clusters where cert-managers already exist. This caused two instances of cert-manager to war over certificates in my cluster, exhausting API requests to letsencrypt and breaking applications for multiple domains for the next week while I wait for the api limit to cool off.
This needs to be removed. If this chart needs certificate requests, it should add requests, and DOCUMENT the need for cert-manager
The text was updated successfully, but these errors were encountered: