weiguoqiang/cert-manager
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6125 from irbekrm/explain_fao

Browse Source 
Document what fao stands for in the controller.cert-manager.io/fao label
This commit is contained in:
jetstack-bot 2023-06-06 14:09:45 +02:00 committed by GitHub
commit f8940ab5c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
design/20221205-memory-management.md
View File

@ -154,7 +154,7 @@ See issue description here https://github.com/cert-manager/cert-manager/issues/4
## Design details
### Implementation
Ensure that `certificate.Spec.SecretName` `Secret` as well as the `Secret` with temporary private key are labelled with a `controller.cert-manager.io/fao: true` label.
Ensure that `certificate.Spec.SecretName` `Secret` as well as the `Secret` with temporary private key are labelled with a `controller.cert-manager.io/fao: true` [^2] label.
The temporary private key `Secret` is short lived so it should be okay to only label it on creation.
The `certificate.Spec.SecretName` `Secret` should be checked for the label value on every reconcile of the owning `Certificate`, same as with the secret template labels and annotations, see [here](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/controller/certificates/issuing/issuing_controller.go#L187-L191).
@ -705,3 +705,5 @@ This should ensure that a `Secret` that our control loop needs, but is not label
- complexity of implementation and maintenance of a custom caching mechanism
[^1]: We thought this might happen when the known cert-manager label gets added to or removed from a `Secret`. There is a mechanism for removing such `Secret` from a cache that should no longer have it, see [this Slack conversation](https://kubernetes.slack.com/archives/C0EG7JC6T/p1671476139766499) and when experimenting with the prototype implementation I have not observed stale cache when adding/removing labels
[^2]: fao = 'for attention of'

1
pkg/apis/certmanager/v1/types.go
View File

@ -26,6 +26,7 @@ const (
// might want to set this (with a value of 'true') to any other Secrets
// that cert-manager controller needs to read, such as issuer
// credentials Secrets.
// fao = 'for attention of'
// See https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md#risks-and-mitigations
PartOfCertManagerControllerLabelKey = "controller.cert-manager.io/fao"