Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-8466

cert-manager-operator should support changing operand pods' labels

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Normal
    • None
    • 4.13
    • cert-manager
    • Moderate
    • CFE Sprint 234, CFE Sprint 235
    • 2
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      cert-manager-operator should support changing operand pods' labels. Otherwise users can't use cert-manager with dns01 solver using AAD pod identities, i.e. https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#managed-identity-using-aad-pod-identities . There it requires:
      "the cert-manager pod has a relevant label to use the pod identity binding ..." and the label must have a key "aadpodidbinding".
      
      https://azure.github.io/aad-pod-identity/docs/concepts/azureidentitybinding/#azureidentitybindingspec and https://azure.github.io/aad-pod-identity/docs/demo/standard_walkthrough/#6-deployment-and-validation also both document the needed label key "aadpodidbinding":
      
      "look for value of pod label with key aadpodidbinding that is equal to itself".
      
      "For a pod to match an identity binding, it needs a label with the key aadpodidbinding whose value is that of the selector: field in the AzureIdentityBinding".

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
      2.
      3.
      

      Actual results:

      To satisfy the requirement about the lable key "aadpodidbinding", I have to use "Unmanaged" unsupported way:
      $ oc edit certmanager cluster
      ...
        managementState: Unmanaged
      ...
      Then update deployment cert-manager to add the label of key "aadpodidbinding":
      $ oc edit deployment cert-manager -n cert-manager
      ...
      spec:
        template:
          metadata:
            labels:
              aadpodidbinding: xxxx
      ...

      Expected results:

      "Unmanaged" is unsupported way, not official. We should support an official way to add labels when the default "managementState: Managed" is used. Otherwise users can't use cert-manager with dns01 solver using AAD pod identities, i.e. https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#managed-identity-using-aad-pod-identities

      Additional info:

       

      Attachments

        Activity

          People

            swghosh@redhat.com Swarup Ghosh
            xxia-1 Xingxing Xia
            Xingxing Xia Xingxing Xia
            Thejas N (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: