Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Respect maintenance time windows in cert-manager integration #153

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

katheris
Copy link
Contributor

Update to proposal 100 to account for maintenance time windows.

Signed-off-by: Katherine Stanley <11195226+katheris@users.noreply.github.com>
Copy link
Contributor

@fvaleri fvaleri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the update.

Copy link
Member

@scholzj scholzj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess I will not -1 it if everyone else approves it. But I think this is wrong. The maintenance time window is used only for situations when Strimzi decides to do something on its own. It is not used for inputs from outside.

Cert-manager doing something is an input from outside and while I understand that someone might want to avoid that causing a rolling update in a wrong time, it should be addressed at Cert Manager side and not on our side.

Doing this in Strimzi is a slippery slope:

  • It will not be clear anymore which actions fall under the maintenance window
  • It will be hard to argue why other things should not fall under the maintenance window
  • It does not differ from many other situations when something from outside (or someone as that is never clear which change is done by a human and which by some automated system) changes the configuration and we react to it.

(Also, it does not relate to the linked issue which is IMHO about using custom listener certificate and not custom CA)

@katheris
Copy link
Contributor Author

@scholzj thanks for sharing your thoughts, it's definitely a good point about whether this can be addressed on the cert-manager side. I have started investigating whether it is possible or not, and if not whether they would be open to adding such a feature.

Specifically on your point about determining what falls under the maintenance window, as far as I know today maintenance time windows are only used for determining when Strimzi renews certificates (triggering the Pods to roll). For me it feels like Strimzi determining when to start using new certificates from cert-manager is a similar type of decision so I don't agree that it will make it harder to defend not having maintenance windows apply elsewhere.

Also, it does not relate to the linked issue which is IMHO about using custom listener certificate and not custom CA

Although the linked issued was about custom listener certificates, my understanding from talking to the user was that if there was a cert-manager integration then they would switch to using it and then would run into this issue. So I agree it does not directly resolve the issue they raised, but I think it is related.

@scholzj
Copy link
Member

scholzj commented Mar 12, 2025

Specifically on your point about determining what falls under the maintenance window, as far as I know today maintenance time windows are only used for determining when Strimzi renews certificates (triggering the Pods to roll). For me it feels like Strimzi determining when to start using new certificates from cert-manager is a similar type of decision so I don't agree that it will make it harder to defend not having maintenance windows apply elsewhere.

I do not think you can see it as the same thing when in one case we renew the certificate and in the other case someone else (Cert-Manager) does it. That makes it similar to a change caused by the infrastructure for example rather than to our current CA renewal.

Although the linked issued was about custom listener certificates, my understanding from talking to the user was that if there was a cert-manager integration then they would switch to using it and then would run into this issue. So I agree it does not directly resolve the issue they raised, but I think it is related.

It is a bit confusing, but the way the user describes it they use a server certificate signed by their Corporate CA. They will not give Strimzi access to such CA to use it directly and they will not let Strimzi issue certificates with our CNs. That much seems pretty clear from the comments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants