1

I recently needed to share a tls configuration between two different namespaces, looking at the docs I saw that you can use reflector to sync secrets between namespaces. I copy/pasted the documented code from the docs to set this up, however the secret created in cert-manager is not given the annotations set in the secretTemplate. I'm not sure what the problem is, hoping someone can point out something I may be missing

I installed cert-manager and reflector via their respective helm charts

helm repo add jetstack https://charts.jetstack.io --force-update
helm repo add emberstack https://emberstack.github.io/helm-charts
helm repo update
helm upgrade --install reflector emberstack/reflector
helm upgrade --install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.14.5 \
  --set installCRDs=true

files:

issuer.yml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: my-issuer
  namespace: cert-manager
spec:
   selfSigned: {}

certificate.yml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tls-ca
  namespace: cert-manager
spec:
  secretName: tls-ca
  secretTemplate:
    annotations:
      reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
      reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "ns1,ns2"
      reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
      reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "ns1,ns2"
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  subject:
    organizations:
      - jetstack
  isCA: true
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  dnsNames:
    - localhost
  uris:
    - https://some-url.com
  ipAddresses:
    - 1.2.3.4
  issuerRef:
    name: my-issuer
    kind: Issuer

When I run the describe command on the secret generated by cert-manager

kubectl describe secret tls-ca -n cert-manager

The output is the following:

Name:         tls-ca-2x4zw
Namespace:    cert-manager
Labels:       cert-manager.io/next-private-key=true
              controller.cert-manager.io/fao=true
Annotations:  <none>

Type:  Opaque


Data


tls.key:  1704 bytes

As you can see, the annotations from secretTemplate are not present. Because of this (I believe) the secrets are not made available in the namespaces I need them in.

Is there more configuration required for this to work? I could not find any other documentation on this.

Marcus Ruddick
  • 121
  • 5

1 Answers1

0

I found my problem, it I forgot to change the ref to ClusterIssuer, if you look you can see the issuerRef is set to Issuer, while the issuer itself is a ClusterIssuer

Marcus Ruddick
  • 121
  • 5