Cert-manager: Clean up certificate secret when certificate is deleted

Created on 13 Sep 2018  路  7Comments  路  Source: jetstack/cert-manager

Is your feature request related to a problem? Please describe.
When a certificate is deleted it would be nice if the secret created by it was also removed

Describe the solution you'd like
When doing kubectl delete certificate x the secret assosciated with the certificate would be removed.

Describe alternatives you've considered
Manual cleanup which is annoying

Additional context
cert manager could put an owner reference on the secret pointing to the certificate crd, then it would be cleaned up by kubernetes automatically

/kind feature

kinfeature lifecyclrotten
Source
picture ssboisen
👍31

Most helpful comment

819 implements this 馃槃

picture munnerz on 13 Sep 2018
🎉4

All 7 comments

819 implements this 馃槃

munnerz picture munnerz on 13 Sep 2018
🎉4

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

retest-bot picture retest-bot on 12 Dec 2018

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

retest-bot picture retest-bot on 11 Jan 2019

I see this issue too:

$ kubectl get certs
NAME             AGE
ccp-mysql-cert   5m

$ kubectl get cert ccp-mysql-cert -o=jsonpath='{.spec.secretName}'
ccp-mysql-cert-secret

$ kubectl get secret ccp-mysql-cert-secret
NAME                    TYPE                DATA   AGE
ccp-mysql-cert-secret   kubernetes.io/tls   2      73m

# delete cert
$ kubectl delete cert ccp-mysql-cert 
certificate.certmanager.k8s.io "ccp-mysql-cert" deleted

$ kubectl get certs
NAME          AGE

# stale secret of deleted cert still exists
$ kubectl get secret ccp-mysql-cert-secret
NAME                    TYPE                DATA   AGE
ccp-mysql-cert-secret   kubernetes.io/tls   2      74m

Seeing this issue with quay.io/jetstack/cert-manager-controller:v0.5.2. Would be nice if cert-manager's cert deletes its underlying secret too so that there are no stale/old secrets.

vhosakot picture vhosakot on 1 Feb 2019

@vhosakot this was implemented in v0.6 and can be enabled with a flag #819

/close

munnerz picture munnerz on 2 Feb 2019
👍1

@munnerz: Closing this issue.

In response to this:

@vhosakot this was implemented in v0.6 and can be enabled with a flag #819

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot picture jetstack-bot on 2 Feb 2019

Cool, thanks @munnerz!

vhosakot picture vhosakot on 3 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jonathan-kosgei picture jonathan-kosgei  路  4Comments
jbeda picture jbeda  路  4Comments
kragniz picture kragniz  路  4Comments
apetheriotis picture apetheriotis  路  3Comments
jbouzekri picture jbouzekri  路  4Comments