Cert-manager: Delete Certificate when owning ingress no longer requires it

Created on 16 Sep 2018 · 5Comments · Source: jetstack/cert-manager

Is your feature request related to a problem? Please describe.
The Ingress Shim creates a Certificate resource for each element in the TLS list of an Ingress resource. When a element is subsequently deleted from this TLS list, the corresponding Certificate resource is not cleaned up.

Consequences: Although the certificate is not required any more, Cert-Manager still manages its complete lifecycle. If this happens frequently the work queue will finally contain a lot of irrelevant elements that cause evitable processing time and memory usage. Moreover, in combination with Let's Encrypt it affects the rate limit.

Describe the solution you'd like
As soon as the TLS list of an Ingress is modified, Cert-Manager should check if it once has created Certificate resources which got _unreferenced_ through this change, i.e. the control loop should delete this Certificate resource.

/kind feature

areingress-shim help wanted kinfeature lifecyclactive prioritimportant-longterm

Source

timuthy

Most helpful comment

Proposal:

For an updated Ingress resource the Ingress Shim controller gets corresponding Certificates (by owner reference or namespace / name) and checks if hosts in Ingress and DNSNames in Certificate still match.

In case of a mismatch DNSNames of the Certificate is updated or the resource is deleted entirely.

timuthy on 25 Sep 2018

👍3

All 5 comments

Proposal:

In case of a mismatch DNSNames of the Certificate is updated or the resource is deleted entirely.

timuthy on 25 Sep 2018

👍3

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale