You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TL;DR: creating a Vault clusterIssuer with spec.vault.path=/<pki_mountpath>/issue/<pki_name> (instead of /<pki_mountpath>/sign/<pki_name>) leads to infinite certificaterequest creation, resulting in out-of-memory conditions.
description: the issue happens due to certificate and key mismatch when using the /issue endpoint, as described in cert-manager/cert-manager#5087. The docs specifically say that only the /sign endpoint is supported — however, a human error is still possible, and the consequences for such an error a little too harsh. In my case, I didn't even have resource limits set (as per chart defaults), and cert-manager created 5k+ certificaterequests in a short period of time, resulting in kube-apiservers eating up all the available RAM and crashing along with etcd — total control plane collapse :) Perhaps, some extra validation of spec.vault.path could be useful to prevent such errors. Or, maybe, a back-off limit for the retry loop. Please let me know if you need help with implementing the fix or any additional info.
cert-manager version: v1.16.3 installed from helm chart v1.16.3
TL;DR: creating a Vault
clusterIssuerwithspec.vault.path=/<pki_mountpath>/issue/<pki_name>(instead of/<pki_mountpath>/sign/<pki_name>) leads to infinite certificaterequest creation, resulting in out-of-memory conditions.description: the issue happens due to certificate and key mismatch when using the
/issueendpoint, as described in cert-manager/cert-manager#5087. The docs specifically say that only the/signendpoint is supported — however, a human error is still possible, and the consequences for such an error a little too harsh. In my case, I didn't even have resource limits set (as per chart defaults), and cert-manager created 5k+ certificaterequests in a short period of time, resulting in kube-apiservers eating up all the available RAM and crashing along with etcd — total control plane collapse :) Perhaps, some extra validation of spec.vault.path could be useful to prevent such errors. Or, maybe, a back-off limit for the retry loop. Please let me know if you need help with implementing the fix or any additional info.cert-manager version: v1.16.3 installed from helm chart v1.16.3
configuration:
values.yaml
clusterIssuer
The text was updated successfully, but these errors were encountered: