-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Respect maintenance time windows in cert-manager integration #153
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Katherine Stanley <11195226+katheris@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for the update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I will not -1 it if everyone else approves it. But I think this is wrong. The maintenance time window is used only for situations when Strimzi decides to do something on its own. It is not used for inputs from outside.
Cert-manager doing something is an input from outside and while I understand that someone might want to avoid that causing a rolling update in a wrong time, it should be addressed at Cert Manager side and not on our side.
Doing this in Strimzi is a slippery slope:
- It will not be clear anymore which actions fall under the maintenance window
- It will be hard to argue why other things should not fall under the maintenance window
- It does not differ from many other situations when something from outside (or someone as that is never clear which change is done by a human and which by some automated system) changes the configuration and we react to it.
(Also, it does not relate to the linked issue which is IMHO about using custom listener certificate and not custom CA)
@scholzj thanks for sharing your thoughts, it's definitely a good point about whether this can be addressed on the cert-manager side. I have started investigating whether it is possible or not, and if not whether they would be open to adding such a feature. Specifically on your point about determining what falls under the maintenance window, as far as I know today maintenance time windows are only used for determining when Strimzi renews certificates (triggering the Pods to roll). For me it feels like Strimzi determining when to start using new certificates from cert-manager is a similar type of decision so I don't agree that it will make it harder to defend not having maintenance windows apply elsewhere.
Although the linked issued was about custom listener certificates, my understanding from talking to the user was that if there was a cert-manager integration then they would switch to using it and then would run into this issue. So I agree it does not directly resolve the issue they raised, but I think it is related. |
I do not think you can see it as the same thing when in one case we renew the certificate and in the other case someone else (Cert-Manager) does it. That makes it similar to a change caused by the infrastructure for example rather than to our current CA renewal.
It is a bit confusing, but the way the user describes it they use a server certificate signed by their Corporate CA. They will not give Strimzi access to such CA to use it directly and they will not let Strimzi issue certificates with our CNs. That much seems pretty clear from the comments. |
Update to proposal 100 to account for maintenance time windows.