CODEWITHSUNDEEP
kubernetescakubernetes-secretscert-manager
Vishrant
Vishrant

Reputation: 16668

How to provide reference to the secret namespace in ClusterIssuer?

I have a ClusterIssuer that is expecting secretName, I see in the ClusterIssuer spec, I can specify the secretName:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: postgres-operator-ca-certificate-cluster-issuer
spec:
  ca:
    secretName: postgres-operator-ca-certificate     # <---- Here

but how to provide the reference to the secret namespace? This secret is created using Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-operator-self-signed-ca-certificate
  namespace: postgres                 # <---- This namespace can not be changed to cert-manager
spec:
  isCA: true
  commonName: postgres-operator-ca-certificate
  secretName: postgres-operator-ca-certificate
  issuerRef:
    name: postgres-operator-selfsigned-clusterissuer
    kind: ClusterIssuer

As this is namespaced is the suggestion is to use Issuer instead of ClusterIssuer? Does ClusterIssuer by default look in the cert-manager namespace?

Upvotes: 1

Views: 3384

Answers (1)

ericfossas
ericfossas

Reputation: 2196

Typically it will look for the secret in the namespace cert-manager by default. Which namespace it looks in can be changed by your cert-manager installation by using the --cluster-resource-namespace argument, but not by individual ClusterIssuer.

From the documentation:

If the referent is a cluster-scoped resource (e.g. a ClusterIssuer), the reference instead refers to the resource with the given name in the configured ‘cluster resource namespace’, which is set as a flag on the controller component (and defaults to the namespace that cert-manager runs in).

https://cert-manager.io/docs/reference/api-docs/#meta.cert-manager.io/v1.LocalObjectReference

Upvotes: 7

Related Questions