aiven-operator without cert-manager
Opened this issue · 6 comments
Could you add documentation on how to use aiven-operator without cert-manager. We have our own certificate solution, and would prefer to not run cert-manager also.
Example using kubectl create secret tls, or adding the files to the pod using volumes.
Hi @JanRK, cart-manager is now mandatory to make webhooks work. We would need to run some tests and perhaps patch the operator and installation to support a generic certificate solution.
What certificate solution are you using?
Hi @ivan-savciuc, I am no longer working on this project, so my memory is a bit hazy.
I am pretty sure I solved it by just manually creating the secret that cert-manager otherwise creates.
We used a custom solution based on cfssl.
I still think it would make a PoC deployment easier if you documented how to install without cert-manager.
Is it possible to keep this issue open?
In our clusters we don't use cert-manager, as most of our certs are managed on the external LB.
For our own webhooks we manually create certificates and attach to the webhook definition.
It would be useful if the aiven-operator could support alternative ways of providing the needed certificates.
Would linking to the install instructions on that page be a solution for this? https://aiven.github.io/aiven-operator/docs/installation/helm/#configuration-options shows how to install with webhooks disabled such that the operator is running.
That might be an option, but then I'd want to know the consequences of not having the webhooks.
The other option is if it's possible to install the webhooks using certificates from a pre-existing secret.
The consequence is outlined in this link (pasting here for completeness):
Note: this is not required in the Helm installation if you select to disable webhooks, but that is not recommended outside of playground use. The Aiven Operator for Kubernetes uses webhooks for setting defaults and enforcing invariants that are expected by the aiven API and will lead to errors if ignored. In the future webhooks will also be used for conversion and supporting multiple CRD versions.
So, you can deploy without webhooks and you will be able to deploy services but it will limit management. Cert-manager is used to validate changes currently so. for example, modifying a PG service and removing a required field would not be caught. These webhooks exist for every service type we support.
I am afraid our implementation relies on [cert-manager](https://github.com/aiven/aiven-operator/blob/130e924bcf7b567548549b6b31effa8b80657504/config/certmanager/certificate.yaml) down to the config level and removing/replacing the dependency is not planned. Kustomize is quite flexible, though, and we would welcome a PR if you did want to implement. We are happy to help guide and troubleshoot along the way.