cainjector fails to start if it can't list Certificates #3251
Assignees
Labels
kind/bug
Categorizes issue or PR as related to a bug.
priority/critical-urgent
Highest priority. Must be actively worked on as someone's top priority right now.
Milestone
Comments
|
Possibly related to #3187? Edit: d'oh, you already said that |
Yeah, I think you may be correct... I should have documented this/commented it when adding support for injecting directly from Secret resources 🙈 |
|
/milestone v1.0 |
jetstack-bot
added
the
priority/critical-urgent
|
/assign @wallrj |
This was referenced Sep 4, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cainjector watches secrets, webhooks, customresources and Certificates as event sources for its controller-runtime based reconciliation queue.
As it starts up it attempts to list all these resources to populate informer caches, before it begins reconciling any of them.
If any of these resources can not be listed then none of them are reconciled, which leads to a chicken-egg problem, in some cases.
When it attempts to list Certificates of version X where the CRDs specify a different API primary or storage version,
then the K8S API server needs to be able to perform a conversion via the cert-manager conversion webhook.
But if this is after a re-install of the CRDs, then cainjector will not yet have updated the CRDs with the caBundle of the cert-manager webhook.
Instead, cainjector should be able to perform secret based reconciliation to update CRDs and webhook configurations independently of the Certificate based reconciliation.
This may be the reason that cainjector used to run two goroutines with two separate controller-runtime managers for each of these, which we removed in #3187
See discussion at https://kubernetes.slack.com/archives/C4NV3DWUC/p1599044537041800
/cc @jfrancisco0 @meyskens
/kind bug
The text was updated successfully, but these errors were encountered: