Cert-manager: Certificate secret gets left behind when certificate is deleted
Describe the bug:
When we helm uninstall an operator the certificate that was created leaves behind a secret. Steps to reproduce:
Expected behaviour:
When we delete the certificate the associated secret should also be deleted.
Steps to reproduce the bug:
Steps to reproduce the bug should be clear and easily reproducible to help people
gain an understanding of the problem.
helm install postgres-operator ~/workspace/postgres-for-kubernetes/postgres-operator/operator
NAME: postgres-operator
LAST DEPLOYED: Tue Jun 9 16:12:22 2020
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
kubectl get secrets
NAME TYPE DATA AGE
...
postgres-operator-webhook-server-cert kubernetes.io/tls 3 27s
md5-59d3e114211c374b40f7a8d1ad3d6228
helm uninstall postgres-operator
release "postgres-operator" uninstalled
md5-59d3e114211c374b40f7a8d1ad3d6228
kubectl get secrets
NAME TYPE DATA AGE
...
postgres-operator-webhook-server-cert kubernetes.io/tls 3 49s
Anything else we need to know?:
This might be a regression? See this issue.
Environment details::
- Kubernetes version (e.g. v1.10.2): v1.18.0
- Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): minikube
- cert-manager version (e.g. v0.4.0): 0.15.1
- Install method (e.g. helm or static manifests): static manifests
kubectl apply
We also attempted to edit the static manifest and added "--enable-certificate-owner-ref=true" to the cert-manager container extra args. This doesn't seem to make a difference.
/kind bug
Thanks,
Al & @jpatel-pivotal
APShirley
All 8 comments
Could you do a describe on the secret for us?
meyskens
on 10 Jun 2020
Here is the describe output
Name: postgres-operator-webhook-server-cert
Namespace: default
Labels: <none>
Annotations: cert-manager.io/alt-names: postgres-operator-webhook-service.default.svc,postgres-operator-webhook-service.default.svc.cluster.local
cert-manager.io/certificate-name: postgres-operator-serving-cert
cert-manager.io/common-name:
cert-manager.io/ip-sans:
cert-manager.io/issuer-kind: Issuer
cert-manager.io/issuer-name: postgres-operator-selfsigned-issuer
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
ca.crt: 1241 bytes
tls.crt: 1241 bytes
tls.key: 1675 bytes
jpatel-pivotal
on 10 Jun 2020
@APShirley
It's because of your cert-manager configuration
you need to set this flag in your cert-manager deployment --enable-certificate-owner-ref=true then cert-manager set owner reference for secrets that created by a certificate and Kubernetes will delete secret immediately after certificate deleted.
mohamadnikan2013
on 29 Jun 2020
/close
mohamadnikan2013
on 5 Jul 2020
@mohamadnikan2013: You can't close an active issue/PR unless you authored it or you are a collaborator.
In response to this:
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
jetstack-bot
on 5 Jul 2020
@meyskens
would you please close this issue?
mohamadnikan2013
on 5 Jul 2020
/close
Here you go, if you still encounter this with the flag set feel free to reopen!
meyskens
on 6 Jul 2020
@meyskens: Closing this issue.
In response to this:
/close
Here you go, if you still encounter this with the flag set feel free to reopen!
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
jetstack-bot
on 6 Jul 2020
Related issues
timblakely
路
4Comments
matthew-muscat
路
4Comments
cpick
路
3Comments
gaieges
路
3Comments
f-f
路
4Comments
Most helpful comment
@APShirley
It's because of your cert-manager configuration
you need to set this flag in your cert-manager deployment
--enable-certificate-owner-ref=truethen cert-manager set owner reference for secrets that created by a certificate and Kubernetes will delete secret immediately after certificate deleted.