Skip to content

Change ACMEHTTP01IngressPathTypeExact feature to beta #7813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 17, 2025
Merged

Change ACMEHTTP01IngressPathTypeExact feature to beta #7813

merged 1 commit into from
Jun 17, 2025

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Jun 17, 2025
edited
Loading

This new featuregate was supposed to be introduced at maturity level Beta, exactly like the DefaultPrivateKeyRotationPolicyAlways feature. Instead it has been set to GA.

The consequence of setting it to GA, is that when you disable it, you get a warning in the cert-manager logs:

$ kubectl  -n cert-manager logs deployments/cert-manager --follow
W0617 15:42:25.514056       1 feature_gate.go:354] Setting GA feature gate ACMEHTTP01IngressPathTypeExact=false. It will be removed in a future release.

I overlooked this when reviewing #7795

/kind cleanup

NONE

Testing

I re-enabled the ingress-nginx strict-validate-path option:

_bin/tools/helm upgrade                                                                  --install                                                                  --wait                                                                  --version 4.12.3                                                                  --namespace ingress-nginx                                                                  --create-namespace                                                                  --set controller.image.tag=v1.12.3                                                                  --set controller.image.registry=registry.k8s.io                                                                  --set controller.image.digest=                                                                  --set controller.image.pullPolicy=Never                                                                  --set controller.service.clusterIP=10.0.0.15                                                                  --set controller.service.type=ClusterIP                                                                  --set controller.config.no-tls-redirect-locations=                                                                  --set-string controller.config.strict-validate-path-type=true                                                                  --set admissionWebhooks.enabled=true                                                                  --set controller.admissionWebhooks.enabled=true                                                                  --set controller.watchIngressWithoutClass=true                                                                  ingress-nginx ingress-nginx/ingress-nginx

Reconfigured cert-manager with the feature gates disabled:

make e2e-setup FEATURE_GATES=AllAlpha=false,AllBeta=false

And observed a subset of the Ingress E2E tests pass:

$ make e2e GINKGO_FOCUS='ACME HTTP01 Issuer \(Ingress\)'
...
[Conformance] Certificates with External Account Binding with issuer type ACME HTTP01 Issuer (Ingress) should issue an ECDSA, defaulted certificate for a single distinct DNS Name
/home/richard/projects/cert-manager/cert-manager/test/e2e/suite/conformance/certificates/suite.go:133
  STEP: Creating a kubernetes client @ 06/17/25 17:50:36.417
  STEP: Creating an API extensions client @ 06/17/25 17:50:36.417
  STEP: Creating a cert manager client @ 06/17/25 17:50:36.417
  STEP: Creating a controller-runtime client @ 06/17/25 17:50:36.417
  STEP: Creating a gateway-api client @ 06/17/25 17:50:36.417
  STEP: Building a namespace api object @ 06/17/25 17:50:36.417
  STEP: Using the namespace e2e-tests-certificates-rmbkv @ 06/17/25 17:50:36.42
  STEP: Building a ResourceQuota api object @ 06/17/25 17:50:36.42
  STEP: Creating an issuer resource @ 06/17/25 17:50:36.425
  STEP: Creating an ACME HTTP01 Ingress Issuer @ 06/17/25 17:50:36.429
  STEP: Waiting for acme HTTP01 Ingress Issuer to be Ready @ 06/17/25 17:50:36.433
  Jun 17 17:50:36.437: INFO: Expected Issuer acme-issuer-http01-kptsb condition Ready=True but it has: []
  Jun 17 17:50:36.938: INFO: Expected Issuer acme-issuer-http01-kptsb condition Ready=True but it has: [] (took 0s)
  STEP: Creating a Certificate @ 06/17/25 17:50:36.938
I0617 17:50:36.946539  475038 warning_handler.go:64] "spec.privateKey.rotationPolicy: In cert-manager >= v1.18.0, the default value changed from `Never` to `Always`." logger="cert-manager"
  STEP: Waiting for the Certificate to be issued... @ 06/17/25 17:50:36.946
  Jun 17 17:50:36.951: INFO: Expected Certificate e2e-conformance-vthvrt6w4z condition Ready=True (generation >= 1) but it has: []
  Jun 17 17:50:41.951: INFO: Expected Certificate e2e-conformance-vthvrt6w4z condition Ready=True (generation >= 1) but it has: [{Issuing True 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1} {Ready False 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1}]
  Jun 17 17:50:48.456: INFO: Expected Certificate e2e-conformance-vthvrt6w4z condition Ready=True (generation >= 1) but it has: [{Issuing True 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1} {Ready False 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1}]
  Jun 17 17:50:58.721: INFO: Expected Certificate e2e-conformance-vthvrt6w4z condition Ready=True (generation >= 1) but it has: [{Issuing True 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1} {Ready False 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1}]
  Jun 17 17:51:03.719: INFO: Expected Certificate e2e-conformance-vthvrt6w4z condition Ready=True (generation >= 1) but it has: [{Issuing True 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1} {Ready False 2025-06-17 17:50:36 +0100 BST DoesNotExist Issuing certificate as Secret does not exist 1}] (took 24s)
  STEP: Validating the issued Certificate... @ 06/17/25 17:51:03.719
  STEP: Cleaning up the issuer resource @ 06/17/25 17:51:03.722
  STEP: Deleting test namespace @ 06/17/25 17:51:03.725
• [24.544 seconds]

@wallrj-cyberark
Change ACMEHTTP01IngressPathTypeExact feature to beta
3aa67dd 
Signed-off-by: Richard Wall <richard.wall@cyberark.com>
@cert-manager-prow cert-manager-prow bot added kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. release-note-none Denotes a PR that doesn't merit a release note. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 17, 2025
@wallrj wallrj mentioned this pull request Jun 17, 2025
Merged
erikgb
erikgb reviewed Jun 17, 2025
View reviewed changes
Copy link
Member

@erikgb erikgb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jun 17, 2025
@cert-manager-prow cert-manager-prow bot merged commit c0c7c42 into cert-manager:master Jun 17, 2025
6 checks passed
@wallrj
Copy link
Member Author

wallrj commented Jun 17, 2025

/cherry-pick release-1.18

@wallrj wallrj deleted the acmehttp01ingresspathtypeexact-should-be-beta branch June 17, 2025 16:58
@cert-manager-bot
Copy link
Contributor

@wallrj: new pull request created: #7814

In response to this:

/cherry-pick release-1.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-bot cert-manager-bot mentioned this pull request Jun 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erikgb erikgb erikgb left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wallrj @cert-manager-bot @erikgb @wallrj-cyberark