Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificates not managed by Kuadrant getting deleted #1101

Closed
roivaz opened this issue Jan 8, 2025 · 0 comments · Fixed by #1102
Closed

Certificates not managed by Kuadrant getting deleted #1101

roivaz opened this issue Jan 8, 2025 · 0 comments · Fixed by #1102
Assignees
@KevFan

Comments

@roivaz
Copy link

roivaz commented Jan 8, 2025

Describe the bug

kuadrant-operator seems to delete any cert-manager Certificate resource that it's not directly managed by Kuadrant. Even without a TLSPolicy in place, each time the kuadrant-operator-controller-manager pod starts, it wipes out any Certificate resources in any namespace.

Logs (debug mode) show the Certificate deletion event, but not the actual deletion operation itself:

{"level":"info","ts":"2025-01-07T17:21:34Z","logger":"kuadrant-operator.event logger","msg":"new event","type":"delete","kind":"Certificate","namespace":"3scale-saas","name":"wildcard-stg-saas-3sca-net-cert"}
{"level":"info","ts":"2025-01-07T17:21:34Z","logger":"kuadrant-operator.event logger","msg":"new event","type":"delete","kind":"Certificate","namespace":"3scale-saas","name":"stg-saas-wildcard-apicast-production"}
{"level":"info","ts":"2025-01-07T17:21:34Z","logger":"kuadrant-operator.event logger","msg":"new event","type":"delete","kind":"Certificate","namespace":"3scale-saas","name":"stg-saas-wildcard-apicast-staging"}
{"level":"info","ts":"2025-01-07T17:21:34Z","logger":"kuadrant-operator.event logger","msg":"new event","type":"delete","kind":"Certificate","namespace":"openshift-ingress","name":"default-ingress-wildcard-certificate"}

To Reproduce
Steps to reproduce the behavior:

  1. Have cert-manager installed in the cluster, with some Certificate resources in place
  2. Install kuadrant-operator, a Kuadrant resource and a Gateway
  3. Check that as soon as the kuadrant-operator starts, it picks up the Certificates that already exist in the cluster. Then, those Certificates are deleted, I'm assuming that by the kuadrant-operator-controller-manager pod itself. Behavior can be forces by just deleting the pod and letting it start a again.

Expected behavior
Any Certificate resource that is not directly managed by Kuadrant should be left intact.

Additional context

Pasting the topology here. Note that this is still a work in progress and there are not Kuadrant policies yet, nor there are any HTTPRoutes attached to the Gateway yet.

digraph  {

        n5[label="Authorino\nkuadrant-system/authorino",shape="ellipse"];
        n7[label="ClusterIssuer\nletsencrypt-production",shape="ellipse"];
        n8[label="ClusterIssuer\nletsencrypt-staging",shape="ellipse"];
        n2[label="ConfigMap\nkuadrant-system/topology",shape="ellipse"];
        n9[label="ConsolePlugin\nkuadrant-console-plugin",shape="ellipse"];
        n12[fillcolor="#e5e5e5",label="Gateway\n3scale-saas/saas",shape="box",style="filled"];
        n20[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#http",shape="box",style="filled"];
        n16[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#http-pub",shape="box",style="filled"];
        n17[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#https-3scale",shape="box",style="filled"];
        n13[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#https-3scale-pub",shape="box",style="filled"];
        n19[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#https-apicast-production",shape="box",style="filled"];
        n15[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#https-apicast-production-pub",shape="box",style="filled"];
        n18[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#https-apicast-staging",shape="box",style="filled"];
        n14[fillcolor="#e5e5e5",label="Listener\n3scale-saas/saas#https-apicast-staging-pub",shape="box",style="filled"];
        n11[fillcolor="#e5e5e5",label="GatewayClass\nistio",shape="box",style="filled"];
        n10[fillcolor="#e5e5e5",label="GatewayClass\nistio-remote",shape="box",style="filled"];
        n6[label="Issuer\n3scale-saas/letsencrypt-staging",shape="ellipse"];
        n1[label="Kuadrant\nkuadrant-system/kuadrant",shape="ellipse"];
        n3[label="Limitador\nkuadrant-system/limitador",shape="ellipse"];
        n4[label="Limitador\nlimitador/cluster",shape="ellipse"];
        n12->n13[comment="Gateway -> Listener"];
        n12->n14[comment="Gateway -> Listener"];
        n12->n15[comment="Gateway -> Listener"];
        n12->n16[comment="Gateway -> Listener"];
        n12->n17[comment="Gateway -> Listener"];
        n12->n18[comment="Gateway -> Listener"];
        n12->n19[comment="Gateway -> Listener"];
        n12->n20[comment="Gateway -> Listener"];
        n11->n12[comment="GatewayClass -> Gateway"];
        n1->n10[comment="Kuadrant -> GatewayClass"];
        n1->n11[comment="Kuadrant -> GatewayClass"];
        n1->n3[comment="Kuadrant -> Limitador"];
        n1->n5[comment="Kuadrant -> Authorino"];
@KevFan KevFan self-assigned this Jan 8, 2025
@KevFan KevFan moved this to In Progress in Kuadrant Jan 8, 2025
@KevFan KevFan mentioned this issue Jan 8, 2025
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in Kuadrant Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KevFan KevFan

Labels
None yet
Projects
Kuadrant
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: only register Certificates managed by Kuadrant to the topology KevFan/kuadrant-operator
2 participants
@roivaz @KevFan