From f4dc243b776b6e5b99632b410d253bcf8b56543b Mon Sep 17 00:00:00 2001 From: irbekrm Date: Fri, 2 Jun 2023 13:45:10 +0100 Subject: [PATCH] Document what fao stands for in the controller.cert-manager.io/fao label Signed-off-by: irbekrm --- design/20221205-memory-management.md | 4 +++- pkg/apis/certmanager/v1/types.go | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/design/20221205-memory-management.md b/design/20221205-memory-management.md index 5734d96f7..b6c64e0f5 100644 --- a/design/20221205-memory-management.md +++ b/design/20221205-memory-management.md @@ -154,7 +154,7 @@ See issue description here https://github.com/cert-manager/cert-manager/issues/4 ## Design details ### Implementation -Ensure that `certificate.Spec.SecretName` `Secret` as well as the `Secret` with temporary private key are labelled with a `controller.cert-manager.io/fao: true` label. +Ensure that `certificate.Spec.SecretName` `Secret` as well as the `Secret` with temporary private key are labelled with a `controller.cert-manager.io/fao: true` [^2] label. The temporary private key `Secret` is short lived so it should be okay to only label it on creation. The `certificate.Spec.SecretName` `Secret` should be checked for the label value on every reconcile of the owning `Certificate`, same as with the secret template labels and annotations, see [here](https://github.com/cert-manager/cert-manager/blob/v1.10.1/pkg/controller/certificates/issuing/issuing_controller.go#L187-L191). @@ -705,3 +705,5 @@ This should ensure that a `Secret` that our control loop needs, but is not label - complexity of implementation and maintenance of a custom caching mechanism [^1]: We thought this might happen when the known cert-manager label gets added to or removed from a `Secret`. There is a mechanism for removing such `Secret` from a cache that should no longer have it, see [this Slack conversation](https://kubernetes.slack.com/archives/C0EG7JC6T/p1671476139766499) and when experimenting with the prototype implementation I have not observed stale cache when adding/removing labels + +[^2]: fao = 'for attention of' diff --git a/pkg/apis/certmanager/v1/types.go b/pkg/apis/certmanager/v1/types.go index 679d75962..276722793 100644 --- a/pkg/apis/certmanager/v1/types.go +++ b/pkg/apis/certmanager/v1/types.go @@ -26,6 +26,7 @@ const ( // might want to set this (with a value of 'true') to any other Secrets // that cert-manager controller needs to read, such as issuer // credentials Secrets. + // fao = 'for attention of' // See https://github.com/cert-manager/cert-manager/blob/master/design/20221205-memory-management.md#risks-and-mitigations PartOfCertManagerControllerLabelKey = "controller.cert-manager.io/fao"