Configuration issue potentially leading to a memory leak #1625
Description
TL;DR: creating a Vault clusterIssuer with spec.vault.path=/<pki_mountpath>/issue/<pki_name> (instead of /<pki_mountpath>/sign/<pki_name>) leads to infinite certificaterequest creation, resulting in out-of-memory conditions.
description: the issue happens due to certificate and key mismatch when using the /issue endpoint, as described in cert-manager/cert-manager#5087. The docs specifically say that only the /sign endpoint is supported — however, a human error is still possible, and the consequences for such an error a little too harsh. In my case, I didn't even have resource limits set (as per chart defaults), and cert-manager created 5k+ certificaterequests in a short period of time, resulting in kube-apiservers eating up all the available RAM and crashing along with etcd — total control plane collapse :) Perhaps, some extra validation of spec.vault.path could be useful to prevent such errors. Or, maybe, a back-off limit for the retry loop. Please let me know if you need help with implementing the fix or any additional info.
cert-manager version: v1.16.3 installed from helm chart v1.16.3
configuration:
values.yaml
global:
leaderElection:
namespace: cert-manager
crds:
enabled: true
fullnameOverride: cert-manager
resources:
requests:
cpu: "1"
memory: "256Mi"
limits:
cpu: "1"
memory: "256Mi"
clusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: vault-local
spec:
vault:
path: /pki/issue/local
server: https://vault.local
auth:
tokenSecretRef:
name: vault-signr-token
key: token