Using the value from copied-annotation-prefixes flag, where by default kubectl, fluxcd, argocd annotations are excluded
Signed-off-by: irbekrm <irbekrm@gmail.com>
Kubernetes is removing support for the v1beta1 Ingress type in 1.22: https://kubernetes.io/blog/2021/07/14/upcoming-changes-in-kubernetes-1-22/#api-changes
However, we still wish to support k8s v1.16 until mid 2022 when Openshift 3 becomes out of support.
cert-manager will now use v1 Ingress if available by using the discovery API.
Signed-off-by: Jake Sanders <i@am.so-aweso.me>
The Gateway CRD has to be installed, meaning that the CRDs may be
installed after cert-manager. We don't want cert-manager to crash in
that case; instead, we let the user know that cert-manager will keep
retrying looking for the CRDs with this message on startup:
controller.go:181] cert-manager/controller/build-context "msg"="the
Gateway API CRDs do not seem to be present, cert-manager will keep
retrying watching for them"
The user then sees the following message printed (using an exponential
back-off):
reflector.go:167: Failed to watch *v1alpha1.Gateway: failed to list
*v1alpha1.Gateway: the server could not find the requested resource
(get gateways.networking.x-k8s.io)
Signed-off-by: Maël Valais <mael@vls.dev>
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.
The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:
--controllers=*,gateway-shim
All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:
"acme.cert-manager.io/http01-ingress-class"
This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.
"acme.cert-manager.io/http01-edit-in-place"
This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.
"kubernetes.io/tls-acme"
This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.
Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.
The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
