Skip to content

helm: cert-manager issuer group hardcoded to cert-manager.io breaks external issuers (e.g. aws-privateca-issuer) #1798

Description

@maintux-nn

Problem

The certificate.yaml Helm template hardcodes group: cert-manager.io
when generating the cert-manager Certificate resource, even when
tls.certManager.existingIssuer.enabled=true.

This breaks setups that use external cert-manager issuer plugins whose
group differs from the standard one. For example, the
aws-privateca-issuer plugin uses the group awspca.cert-manager.io,
and providing an existingIssuer with kind: AWSPCAIssuer without the
correct group causes cert-manager to fail resolving the issuer.

Expected behavior

When tls.certManager.existingIssuer.enabled=true, the group field of
the issuer reference should be configurable by the user.

Fix

Add a tls.certManager.existingIssuer.group value (defaulting to
cert-manager.io for backward compatibility) and use it in the template.

A PR is open for this: #1797

Metadata

Metadata

Assignees

No one assigned

    Labels

    needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Needs Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions