fix(cert-manager): resolve reconciliation issues with enableCertificateOwnerRef#352
fix(cert-manager): resolve reconciliation issues with enableCertificateOwnerRef#352valen-mascarenhas14 wants to merge 4 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: valen-mascarenhas14 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Hi @valen-mascarenhas14. Thanks for your PR. I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Signed-off-by: Valen Mascarenhas <valen.mascarenhas@ibm.com>
335cf3d to
f6cada7
Compare
| } | ||
| hours := days * 24 | ||
| result.WriteString(fmt.Sprintf("%gh", hours)) | ||
| numStr.Reset() |
There was a problem hiding this comment.
I think this chunk of code can be made very simple. Just trimming the last character and converting the remaining to Integer, should help.
Please try and check!
There was a problem hiding this comment.
@GunaKKIBM The current logic was kept generic to support duration strings like 23d4h too
|
@valen-mascarenhas14, could you please add the test results here? Pod logs should be good. |
ArkaSaha30
left a comment
There was a problem hiding this comment.
Can we validate if the cascading cleanup happens on EtcdCluster deletion when the certificate secret is having cert-manager ownerRef?
Manual validation should be good for now.
| days, err := strconv.ParseFloat(numStr.String(), 64) | ||
| if err != nil { | ||
| return 0, fmt.Errorf("failed to parse day value in ValidityDuration: %w", err) | ||
| } |
There was a problem hiding this comment.
Can we use regex to simplify the parsing logic?
Something like regexp.MustCompile(([0-9.]+)(d)) to get the no of days and then calculate the hours?
There was a problem hiding this comment.
Thanks, have used regex to simplify the parsing logic
| result.WriteByte(ch) | ||
| } | ||
| } | ||
| // Append any remaining number |
There was a problem hiding this comment.
This block can also be omitted if we use regex instead of index parsing.
@ArkaSaha30 I noticed that cascading cleanup would fail when the certificate secret had cert-manager ownerRef. I've made the code changes for the same . Below is how it looks after the code changes. PTAL. |
23d0466 to
db038b1
Compare
db038b1 to
23d0466
Compare
Signed-off-by: Valen Mascarenhas <valen.mascarenhas@ibm.com>
Signed-off-by: Valen Mascarenhas <valen.mascarenhas@ibm.com>
23d0466 to
e458e14
Compare
Fixes #331
PR Description
Problem
The operator cannot reconcile ETCD clusters when using cert-manager configured with
enableCertificateOwnerRef=true. This manifests in two ways:Certificate creation fails due to invalid duration parsing:
Owner reference conflicts when cert-manager's
enableCertificateOwnerRef=truesets Certificate as the controller owner of TLS secrets, preventing the operator from managing them.Root Causes
Duration Parsing Issue:
Go's
time.ParseDurationdoesn't support day units (d), but the sample configuration and API documentation use day-based durations like"365d"and"100d12h".Owner Reference Issue:
When
enableCertificateOwnerRef=true, cert-manager sets itself as the controller owner of TLS secrets. The operator was attempting to overwrite this ownership, causing reconciliation failures.Solution
1. Duration Parsing Fix:
Enhanced
parseValidityDurationto automatically convert day units to hours:"365d"→"8760h"(365 × 24 hours)"100d12h"→"2412h"(100 × 24 + 12 hours)2. Owner Reference Fix:
Modified secret ownership logic to: