Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10821

As functional part of redhat supported cert-manager operator, cm-acme-http-solver pod should use redhat published image and the image should be latest

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • None
    • 4.13.0, 4.12.z
    • cert-manager
    • Moderate
    • CFE Sprint 234, CFE Sprint 235, CFE Sprint 236
    • 3
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:
      We know, as part of redhat cert-manager operator as a supported product, the operand pod's image uses redhat's own published image registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9 as https://catalog.redhat.com/software/containers/cert-manager/jetstack-cert-manager-rhel9/63d2c618c447aabc190c684c , instead of the upstream operand image.

      Ditto, as part of redhat cert-manager operator as a supported product, the cm-acme-http-solver pod in http01 function should use redhat's own published image too, and the image tag should latest.

      Version-Release number of selected component (if applicable):
      OCP 4.12, redhat cert-manager operator of bundle version v1.10.2-21.

      How reproducible:
      Always

      Steps to Reproduce:
      1. Install redhat cert-manager operator. Then create a clusterissuer.
      $ cat clusterissuer-acme-http01-example.yaml

      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: letsencrypt
      spec:
        acme:
          preferredChain: ""
          privateKeySecretRef:
            name: example-issuer-account-key
          server: https://acme-v02.api.letsencrypt.org/directory
          solvers:
          - http01:
              ingress:
                class: openshift-default
      

      $ oc create -f clusterissuer-acme-http01-example.yaml

      2. Create an ingress referencing the clusterissuer

      $ cat ingress-using-clusterissuer-neg.yaml
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: ingress-test
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt
      spec:
        rules:
        - host: hello.test.com
          http:
            paths:
            - path: "/"
              backend:
                service:
                  name: hello-openshift
                  port:
                    number: 8080
              pathType: "Prefix"
        tls:
        - hosts:
          - hello.test.com
          secretName: ingress-cert
      

      $ oc create -f ingress-using-clusterissuer-neg.yaml

      3. Check the pod's image

      $ oc get pod
      NAME                              READY   STATUS    RESTARTS   AGE
      cm-acme-http-solver-m6t62         1/1     Running   0          5s
      
      $ oc get po cm-acme-http-solver-m6t62 -o yaml
      ...
          image: quay.io/jetstack/cert-manager-acmesolver:canary
      ...
      

      Actual results:
      Step 3 shows the cm-acme-http-solver pod uses the upstream image. And browse https://quay.io/repository/jetstack/cert-manager-acmesolver?tab=tags , in the search input box "Filter Tags", filter "canary", it is shown 3 years ago, very old.

      Expected results:
      First, cm-acme-http-solver is functional part of redhat cert-manager operator, it should use redhat's own published image like the operand cert-manager image.

      Second, as comparison, in OCP console, tried to install the community upstream cert-manager, repeated above steps, it uses latest versioned tag instead of the 3-year-ago "canary" tag:

      $ oc get po cm-acme-http-solver-kl5nv -o yaml
      ...
          image: quay.io/jetstack/cert-manager-acmesolver:v1.11.0
      ...
      

      For redhat cert-manager operator, even if it will use community quay.io/jetstack/cert-manager-acmesolver, it should use latest versioned tag too, instead of the 3-year-ago "canary" tag.

      Attachments

        Activity

          People

            thn@redhat.com Thejas N (Inactive)
            xxia-1 Xingxing Xia
            Xingxing Xia Xingxing Xia
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: