Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Undefined
Fix Version/s: 4.16.0
Affects Version/s: 4.16
Component/s: cert-manager
Labels:
None

Severity:
Moderate
Regression:
No
Sprint:
CFE Sprint 252
sprint_count:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.16.0

SFDC Cases Counter:
SFDC Cases Links:

Description of problem:

In the 1.14 release, we have some upstream features selected by PM to test. 

These two features are placed behind feature gates:
- https://issues.redhat.com/browse/CM-292
- https://issues.redhat.com/browse/CM-293

To use these fields, the feature gates "LiteralCertificateSubject" and "OtherNames" needs to be enabled on the cert-manager controller and/or webhook.

Version-Release number of selected component (if applicable):

cert-manager operator v1.14.0

How reproducible:

Tried twice, both occurred

Steps to Reproduce and actual results:

Install the cert-manager operator
Per this doc, try to patch cert-manager cluster resources like:

$ oc patch certmanager.operator cluster --type=merge -p="
spec:
  controllerConfig:
    overrideArgs:
      - '--feature-gates=LiteralCertificateSubject=true'
  webhookConfig:
    overrideArgs:
      - '--feature-gates=LiteralCertificateSubject=true' 
"

Wait pods to be redeployed but failed. Manually delete pods and wait for recreating
Create a selfsigned ClusterIssuer
Create a Certificate with "spec.literalSubject". Got Error:

Error from server (NotAcceptable): error when creating "local/manifest/CM-292/cert.yaml": admission webhook "webhook.cert-manager.io" denied the request: spec.literalSubject: Forbidden: Feature gate LiteralCertificateSubject must be enabled on both webhook and controller to use the alpha `literalSubject` field

Check pods YAML, cannot find "--feature-gates" flag in args field

$ oc get po -n cert-manager cert-manager-6db6ffb49c-dbl7f -o yaml
...
spec:
  containers:
  - args:
    - --acme-http01-solver-image=registry.redhat.io/cert-manager/jetstack-cert-manager-acmesolver-rhel9@sha256:...
    - --cluster-resource-namespace=$(POD_NAMESPACE)
    - --leader-election-namespace=kube-system
    - --max-concurrent-challenges=60
    - --v=2
...

$ oc get po -n cert-manager cert-manager-webhook-cfb567bb8-xl25b -o yaml
...
spec:
  containers:
  - args:
    - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
    - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
    - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.$(POD_NAMESPACE),cert-manager-webhook.$(POD_NAMESPACE).svc
    - --secure-port=10250
    - --v=2
...

Expected results:

1. Pods should be updated and redepolyed automatically after patched arguments "--feature-gates=...".
2. Create a Certificate with "spec.literalSubject" should success.

Additional info:

Upsream doc about feature-gates: https://cert-manager.io/docs/installation/configuring-components/#feature-gates

Checked operator's codebase, found that "--feature-gates" is not a supported Args: https://github.com/openshift/cert-manager-operator/blob/master/pkg/controller/deployment/deployment_overrides_validation.go

There is a workaround by using "unsupportedConfigOverrides": https://github.com/openshift/cert-manager-operator?tab=readme-ov-file#using-unsupported-config-overrides-options

blocks

CM-292 As a tester I'd test UPSTREAM #5002 LiteralCertificateSubject in RH cert-manager v1.14

Closed

CM-293 As a tester I'd test UPSTREAM #6404 OtherNameSANs field in Certificate in RH cert-manager v1.14

Closed

Assignee:: Trilok Geer

Reporter:: Yuedong Wu

QA Contact:: Yuedong Wu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/03/20 6:16 AM

Updated:: 2024/04/17 7:46 AM

Resolved:: 2024/04/17 7:46 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates