No longer able to specify cert-manager issuer to generate node and client certificates with
0fau opened this issue · comments
This PR #337 removed the ability to specify a cert-manager issuer from which node and client certificates are generated from. These changes force user that want to use cert-manager in some capacity to generate node and client certs from a self signed ca issuer. This is great for people that want to bootstrap a cluster right away but it introduces a feature regression of less flexibility counter to how cert-manager integrations should work.
My specific use case is that I manage all my certificates within Vault so that it is contained. I've been using a vault issuer and it worked fine with previous releases of this helm chart because I could configure the chart do so. I'm not able to anymore.
Hi @0fau
You should still be able to use your vault issuer by disabling the flag:
tls.certs.certManagerIssuer.isSelfSignedIssuer: false
Please try and let me know if you face any issues.
I tried that flag and I believe I'm still only able to specify the issuer for the CA cert while I'd let to be able to generate node and client certificates using a custom issuer. This is because I'd like the lifecycle of my certificates to be managed within vault.
Can second this. Just tried to bootstrap a CRDB cluster from newest chart version and ran into the issue I can't as a wrong (non-existing) issuer is used for requesting the certificates:
cockroachdb:
tls:
certs:
certManagerIssuer:
group: cert-manager.io
kind: ClusterIssuer
name: crdb-issuer
# Make it false when you are providing your own CA issuer
isSelfSignedIssuer: false
The values.yaml
still provides these options but they aren't used breaking the setup. The screenshot above explains this.