TT-9857 Only first certificate of certificate_secret_names is assigned to API

Question

TT-9857 Only first certificate of certificate_secret_names is assigned to API

Freakazoid182 opened this issue a year ago · 2 comments

When defining multiple certificate_secrets_names on an ApiDefinition it seems only the first one is actually assigned to the API by the operator.

Providing this in the ApiDefinition resource:

certificate_secret_names:
  - cert1-secret
  - cert2-secret

Results in an API with only the first certificate id:

"certificates" : [
  "cert1-id"
]

Switching the order of certificate_secret_names will result in only cert2-id being assigned to the API

Expected Behavior

All certificates defined in certificate_secret_names should be assigned to the API

Current Behavior

Only the first entry in certificate_secret_names is assigned to the API. Both certificates are provisioned in Tyk though, and are visible on the dashboard under the Certificates menu.

Steps to Reproduce

Provision at least 2 TLS certificates as Kubernetes secrets
Assign both secrets to the certificate_secret_names on the ApiDefinition
Note only 1 certificate id is assigned to the API

Context

A workaround we have now is to define the certificate ids directly on the certificates field on the ApiDefinition. This does required getting the certificates provisioned first using certificate_secrets_names and then updating the definitions with the ids on the certificate field instead. When using certmanager to autorotate the certs/secrets, we then still have to manually update the certificates, because this changes the ids. This won't work nicely in the long term.

certificates:
- cert1-id
- cert2-id

Your Environment

OS (e.g. Linux, macOS, Windows):
- OS version: Tyk Operator Container tykio/tyk-operator
tyk-operator version/commit: v0.15.0

Answer 1 · 2023-08-10T13:49:56.000Z

@Freakazoid182 thank you for raising this one. This is definitely a missing feature of our controller.

As per comment here, only one secret is supported at the moment.

I'll create an internal ticket to keep track of this feature.

We welcome all PRs :) If you want to contribute, this doc https://github.com/TykTechnologies/tyk-operator/blob/master/CONTRIBUTING.md might be useful.

Answer 2 · 2023-08-10T13:58:12.000Z

@buraksekili Thank you for the immediate response! 👍 Glad to hear this is now kept track of. I would greatly appreciate this being implemented.