Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11679

[Ehancement] User can't set args mentioned in cert-manager upstream doc in a supported way

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 4.12.z
    • cert-manager
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • No
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      User can't set args mentioned in upstream doc. For example, there is customer about using additional certificate output formats like DER, related doc is https://cert-manager.io/docs/usage/certificate/#additional-certificate-output-formats , it mentions needed args --feature-gates=AdditionalCertificateOutputFormats=true .

      But RH cert-manager operator does not allow it, due to https://github.com/openshift/cert-manager-operator/pull/95/files#diff-ba63173ce5b217444fd630bc86651de230d757ee5cbf068d0f4e4a0455403807R19 limits supportedCertManagerArgs/supportedCertManagerWebhookArgs to only a few ones.

      Version-Release number of selected component (if applicable):

      v1.10.2 cert-manager operator installed in 4.12 env

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install RH cert-manager operator

2. $ oc patch certmanager/cluster --type=merge -p '{"spec":{"controllerConfig":{"overrideArgs":["--feature-gates=AdditionalCertificateOutputFormats=true"]},"webhookConfig":{"overrideArgs":["--feature-gates=AdditionalCertificateOutputFormats=true"]}}}'

3. Check if cert-manager pods are renewed.
$ oc get po -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-6d4b5d4c97-c5kj2              1/1     Running   0          177m
cert-manager-cainjector-866c4fd758-782pw   1/1     Running   0          178m
cert-manager-webhook-6d48f88495-tlswl      1/1     Running   0          178m

Check cert-manager-operator pod's logs:
$ oc logs cert-manager-operator-controller-manager-f46668b78-vjgqd -n cert-manager-operator

      Actual results:

      3. cert-manager pods are NOT renewed. cert-manager-operator pod's logs show:
$ oc logs cert-manager-operator-controller-manager-f46668b78-vjgqd -n cert-manager-operator
...
E0412 06:42:51.322088       1 base_controller.go:272] cert-manager-webhook-deployment reconciliation failed: error running hook function (index=2): validation failed due to unsupported arg "--feature-gates"="AdditionalCertificateOutputFormats=true"

      Expected results:

      Should allow users to set args mentioned in upstream doc. There are more args: https://cert-manager.io/docs/cli/controller/

      Additional info:

      User has to use workaround but which is not official supported:
$ oc patch certmanager/cluster --type=merge -p '{"spec":{"managementState":"Unmanaged"}}'

$ oc patch deployment/cert-manager -n cert-manager --type json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=AdditionalCertificateOutputFormats=true"}]'
deployment.apps/cert-manager patched

$ oc patch deployment/cert-manager-webhook -n cert-manager --type json -p '[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=AdditionalCertificateOutputFormats=true"}]'
deployment.apps/cert-manager-webhook patched

Pods are renewed:
$ oc get po -n cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-5ddc6cb5ff-k4wks              1/1     Running   0          114s
cert-manager-cainjector-866c4fd758-782pw   1/1     Running   0          3h39m
cert-manager-webhook-55b49fcd57-sx4jt      1/1     Running   0          56s

$ oc create -f selfsigned-issuer.yaml

$ oc create -f certificate-from-selfsigned-issuer-AdditionalCertificateOutputFormats.yaml
certificate.cert-manager.io/my-selfsigned-ca created

$ cat certificate-from-selfsigned-issuer-AdditionalCertificateOutputFormats.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-selfsigned-ca
spec:
  additionalOutputFormats:
  - type: CombinedPEM
  - type: DER
  commonName: my-selfsigned-ca
  isCA: true
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
  privateKey:
    algorithm: ECDSA
    size: 256
  secretName: my-root-secret

Cert is "READY":
$ oc get cert
NAME               READY   SECRET           AGE
my-selfsigned-ca   True    my-root-secret   66s

The cert's corresponding secret includes additional output formats: tls-combined.pem, key.der
$ oc extract secret/my-root-secret --confirm
tls.key
ca.crt
key.der
tls-combined.pem
tls.crt

$ cat tls-combined.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIA1zmQqRK5AKblGan67LmNALdLvPYZ/EllGPMf0rk8NQoAoGCCqGSM49
...
-----END EC PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIBdzCCAR2gAwIBAgIRAOY3TrdaLqtR/SUEQDmjruUwCgYIKoZIzj0EAwIwGzEZ
...
-----END CERTIFICATE-----

$ file key.der
key.der: data

              swghosh@redhat.com Swarup Ghosh
              xxia-1 Xingxing Xia
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: