-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.13.0, 4.12.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
No
-
None
-
Proposed
-
CFE Sprint 234, CFE Sprint 235, CFE Sprint 236
-
3
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
We know, as part of redhat cert-manager operator as a supported product, the operand pod's image uses redhat's own published image registry.redhat.io/cert-manager/jetstack-cert-manager-rhel9 as https://catalog.redhat.com/software/containers/cert-manager/jetstack-cert-manager-rhel9/63d2c618c447aabc190c684c , instead of the upstream operand image.
Ditto, as part of redhat cert-manager operator as a supported product, the cm-acme-http-solver pod in http01 function should use redhat's own published image too, and the image tag should latest.
Version-Release number of selected component (if applicable):
OCP 4.12, redhat cert-manager operator of bundle version v1.10.2-21.
How reproducible:
Always
Steps to Reproduce:
1. Install redhat cert-manager operator. Then create a clusterissuer.
$ cat clusterissuer-acme-http01-example.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt
spec:
acme:
preferredChain: ""
privateKeySecretRef:
name: example-issuer-account-key
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: openshift-default
$ oc create -f clusterissuer-acme-http01-example.yaml
2. Create an ingress referencing the clusterissuer
$ cat ingress-using-clusterissuer-neg.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-test
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
rules:
- host: hello.test.com
http:
paths:
- path: "/"
backend:
service:
name: hello-openshift
port:
number: 8080
pathType: "Prefix"
tls:
- hosts:
- hello.test.com
secretName: ingress-cert
$ oc create -f ingress-using-clusterissuer-neg.yaml
3. Check the pod's image
$ oc get pod
NAME READY STATUS RESTARTS AGE
cm-acme-http-solver-m6t62 1/1 Running 0 5s
$ oc get po cm-acme-http-solver-m6t62 -o yaml
...
image: quay.io/jetstack/cert-manager-acmesolver:canary
...
Actual results:
Step 3 shows the cm-acme-http-solver pod uses the upstream image. And browse https://quay.io/repository/jetstack/cert-manager-acmesolver?tab=tags , in the search input box "Filter Tags", filter "canary", it is shown 3 years ago, very old.
Expected results:
First, cm-acme-http-solver is functional part of redhat cert-manager operator, it should use redhat's own published image like the operand cert-manager image.
Second, as comparison, in OCP console, tried to install the community upstream cert-manager, repeated above steps, it uses latest versioned tag instead of the 3-year-ago "canary" tag:
$ oc get po cm-acme-http-solver-kl5nv -o yaml
...
image: quay.io/jetstack/cert-manager-acmesolver:v1.11.0
...
For redhat cert-manager operator, even if it will use community quay.io/jetstack/cert-manager-acmesolver, it should use latest versioned tag too, instead of the 3-year-ago "canary" tag.
- links to
- mentioned on
