Skip to content

fix(vertical-pod-autoscaler): Update secretName for the TLS cert mount #1140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stevehipwell merged 1 commit into from
Mar 10, 2025
Merged

fix(vertical-pod-autoscaler): Update secretName for the TLS cert mount #1140

stevehipwell merged 1 commit into from
Mar 10, 2025

Conversation

@featherbread
Copy link
Contributor

@featherbread featherbread commented Mar 4, 2025

When a custom issuer is used, the secret name and issuer name are no longer guaranteed to align. Fixes #1137.

Testing

I've tried deploying this internally, and it turns out our normal ClusterIssuer requires a common name on every certificate, which I'll have to look into separately. In the meantime, I have some sample commands to show off the diff between the chart versions.

Enabling cert-manager with the default issuer

git checkout main && \
  helm template vertical-pod-autoscaler ./charts/vertical-pod-autoscaler \
  --set admissionController.certManager.enabled=true \
  > old.yaml
git checkout vpa-custom-issuer-secret-name && \
  helm template vertical-pod-autoscaler ./charts/vertical-pod-autoscaler \
  --set admissionController.certManager.enabled=true \
  > new.yaml
diff -u old.yaml new.yaml

…produces no output, as expected.

Enabling cert-manager with a custom issuer

git checkout main && \
  helm template vertical-pod-autoscaler ./charts/vertical-pod-autoscaler \
  --set admissionController.certManager.enabled=true \
  --set admissionController.certManager.issuerName=my-custom-issuer \
  > old.yaml
git checkout vpa-custom-issuer-secret-name && \
  helm template vertical-pod-autoscaler ./charts/vertical-pod-autoscaler \
  --set admissionController.certManager.enabled=true \
  --set admissionController.certManager.issuerName=my-custom-issuer \
  > new.yaml
diff -u old.yaml new.yaml

…produces the following:

--- old.yaml    2025-03-04 11:35:46
+++ new.yaml    2025-03-04 11:35:53
@@ -619,7 +619,7 @@
       volumes:
         - name: tls-certs
           secret:
-            secretName: my-custom-issuer
+            secretName: vertical-pod-autoscaler-admission-controller-cert
 ---
 # Source: vertical-pod-autoscaler/templates/recommender/deployment.yaml
 apiVersion: apps/v1

…which matches what grep -A20 'kind: Certificate' new.yaml shows is the certificate name:

kind: Certificate
metadata:
  name: vertical-pod-autoscaler-admission-controller
# ...
  issuerRef:
    kind: Issuer
    name: my-custom-issuer
  secretName: vertical-pod-autoscaler-admission-controller-cert

Release

I can cut a separate PR for a v1.8.1 release (similar to how #1111 released a fix for this chart from #1106), or if it would be easier I'm happy to inline those bumps into this PR.

@stevehipwell
Copy link
Owner

stevehipwell commented Mar 5, 2025

Thanks for the PR @ahamlinman, do you want to add the release changes into this PR? FYI since the last VPA release I've automated the chart changes annotations so that can be skipped.

@featherbread featherbread force-pushed the vpa-custom-issuer-secret-name branch from 2d670ff to cd7e7c5 Compare March 6, 2025 00:01
@featherbread
Copy link
Contributor Author

featherbread commented Mar 6, 2025

Those changes should be in now, and all references to 1.8.0 should be up to date:

$ rg -F 1.8.0 charts/vertical-pod-autoscaler/
charts/vertical-pod-autoscaler/CHANGELOG.md
23:## [v1.8.0] - 2025-02-14
136:[v1.8.0]: https://github.com/stevehipwell/helm-charts/releases/tag/vertical-pod-autoscaler-1.8.0

stevehipwell
stevehipwell requested changes Mar 6, 2025
View reviewed changes
Copy link
Owner

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor typo to fix in the CHANGELOG.

stevehipwell
stevehipwell requested changes Mar 7, 2025
View reviewed changes
Copy link
Owner

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, but the date now needs changing.

@stevehipwell
Copy link
Owner

stevehipwell commented Mar 7, 2025

@ahamlinman could you also rebase?

@featherbread
fix(vertical-pod-autoscaler): Update secretName for the TLS cert mount
19b12c0 
When a custom issuer is used, the secret name and issuer name are no longer
guaranteed to align.

Signed-off-by: Alex Hamlin <[email protected]>
@featherbread featherbread force-pushed the vpa-custom-issuer-secret-name branch from da39a61 to 19b12c0 Compare March 10, 2025 01:14
stevehipwell
stevehipwell approved these changes Mar 10, 2025
View reviewed changes
Copy link
Owner

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@stevehipwell stevehipwell enabled auto-merge (squash) March 10, 2025 10:01
@stevehipwell stevehipwell merged commit 8cd8ef2 into stevehipwell:main Mar 10, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevehipwell stevehipwell stevehipwell approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[vertical-pod-autoscaler] Admission controller tries to mount the wrong secret name with a custom issuer

2 participants

@featherbread @stevehipwell