Skip to content

fix: add subject to certificates to satisfy cert-manager#280

Merged
k8s-ci-robot merged 1 commit into
kubernetes-sigs:mainfrom
vitorfloriano:fix-certificate-warning
Jun 13, 2026
Merged

fix: add subject to certificates to satisfy cert-manager#280
k8s-ci-robot merged 1 commit into
kubernetes-sigs:mainfrom
vitorfloriano:fix-certificate-warning

Conversation

@vitorfloriano

@vitorfloriano vitorfloriano commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Description

This PR fixes an issue in which Cert-Manager would complain about a bad config caused by the lack of a Issuer DN, which would contravene RFC 5280 and could break some strict clients. See #273.

The metris and webhook certificates now have .spec.subject.organizations set to k8s-sig-node, similar to the solution reached at in kubernetes-sigs/cluster-api#5387.

We are changing the base certificates directly (instead of kustomizing) for simplicity and also taking into consideration that these values should always be present in the certificates, regardless.

Related Issue

Fixes #273

Type of Change

/kind bug
/kind cleanup

Testing

This fix was manually tested by:

  1. Installing the CRD with make install.
  2. Deploying the controller with make deploy-full.
  3. Checking the events with kubectl events -n nrr-system and verifying that the warnings don't show up anymore.
events 

$ kubectl events -n nrr-system 
LAST SEEN   TYPE      REASON               OBJECT                                         MESSAGE
12s         Normal    WaitingForApproval   CertificateRequest/nrr-serving-cert-1          Not signing CertificateRequest until it is Approved
12s         Normal    ScalingReplicaSet    Deployment/nrr-controller-manager              Scaled up replica set nrr-controller-manager-78cc99ddb6 from 0 to 1
12s         Warning   FailedMount          Pod/nrr-controller-manager-78cc99ddb6-f89rx    MountVolume.SetUp failed for volume "metrics-certs" : secret "metrics-server-cert" not found
12s         Normal    Issuing              Certificate/nrr-serving-cert                   The certificate has been successfully issued
12s         Normal    Requested            Certificate/nrr-serving-cert                   Created new CertificateRequest resource "nrr-serving-cert-1"
12s         Normal    Generated            Certificate/nrr-serving-cert                   Stored new private key in temporary Secret resource "nrr-serving-cert-zjfqt"
12s         Normal    SuccessfulCreate     ReplicaSet/nrr-controller-manager-78cc99ddb6   Created pod: nrr-controller-manager-78cc99ddb6-f89rx
12s         Normal    WaitingForApproval   CertificateRequest/nrr-serving-cert-1          Not signing CertificateRequest until it is Approved
12s         Normal    Issuing              Certificate/nrr-serving-cert                   Issuing certificate as Secret does not exist
12s         Normal    CertificateIssued    CertificateRequest/nrr-serving-cert-1          Certificate fetched from issuer successfully
12s         Normal    cert-manager.io      CertificateRequest/nrr-serving-cert-1          Certificate request has been approved by cert-manager.io
12s         Normal    WaitingForApproval   CertificateRequest/nrr-serving-cert-1          Not signing CertificateRequest until it is Approved
12s         Normal    Issuing              Certificate/nrr-metrics-certs                  Issuing certificate as Secret does not exist
12s         Normal    WaitingForApproval   CertificateRequest/nrr-serving-cert-1          Not signing CertificateRequest until it is Approved
12s         Normal    Scheduled            Pod/nrr-controller-manager-78cc99ddb6-f89rx    Successfully assigned nrr-system/nrr-controller-manager-78cc99ddb6-f89rx to multinode-worker
12s         Normal    WaitingForApproval   CertificateRequest/nrr-serving-cert-1          Not signing CertificateRequest until it is Approved
11s         Normal    WaitingForApproval   CertificateRequest/nrr-metrics-certs-1         Not signing CertificateRequest until it is Approved
11s         Normal    WaitingForApproval   CertificateRequest/nrr-metrics-certs-1         Not signing CertificateRequest until it is Approved
11s         Normal    Issuing              Certificate/nrr-metrics-certs                  The certificate has been successfully issued
11s         Normal    cert-manager.io      CertificateRequest/nrr-metrics-certs-1         Certificate request has been approved by cert-manager.io
11s         Normal    WaitingForApproval   CertificateRequest/nrr-metrics-certs-1         Not signing CertificateRequest until it is Approved
11s         Normal    Pulled               Pod/nrr-controller-manager-78cc99ddb6-f89rx    Container image "controller:latest" already present on machine and can be accessed by the pod
11s         Normal    Generated            Certificate/nrr-metrics-certs                  Stored new private key in temporary Secret resource "nrr-metrics-certs-xbj75"
11s         Normal    Requested            Certificate/nrr-metrics-certs                  Created new CertificateRequest resource "nrr-metrics-certs-1"
11s         Normal    WaitingForApproval   CertificateRequest/nrr-metrics-certs-1         Not signing CertificateRequest until it is Approved
11s         Normal    WaitingForApproval   CertificateRequest/nrr-metrics-certs-1         Not signing CertificateRequest until it is Approved
11s         Normal    CertificateIssued    CertificateRequest/nrr-metrics-certs-1         Certificate fetched from issuer successfully
10s         Normal    Started              Pod/nrr-controller-manager-78cc99ddb6-f89rx    Container started
10s         Normal    Created              Pod/nrr-controller-manager-78cc99ddb6-f89rx    Container created
10s         Normal    LeaderElection       Lease/ba65f13e.readiness.node.x-k8s.io         nrr-controller-manager-78cc99ddb6-f89rx_155fbe29-96f4-4bf1-b779-4599b705592b became leader

  1. Checking the events in CertificateRequests with kubectl describe certificaterequests.cert-manager.io -n nrr-system | grep Events -A 10 and verifying the warning don't show up anymore.
events 

$ kubectl describe certificaterequests.cert-manager.io -n nrr-system | grep Events -A 10
Events:
  Type    Reason              Age   From                                                Message
  ----    ------              ----  ----                                                -------
  Normal  WaitingForApproval  44s   cert-manager-certificaterequests-issuer-vault       Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  44s   cert-manager-certificaterequests-issuer-ca          Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  44s   cert-manager-certificaterequests-issuer-acme        Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  44s   cert-manager-certificaterequests-issuer-selfsigned  Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  44s   cert-manager-certificaterequests-issuer-venafi      Not signing CertificateRequest until it is Approved
  Normal  cert-manager.io     44s   cert-manager-certificaterequests-approver           Certificate request has been approved by cert-manager.io
  Normal  CertificateIssued   44s   cert-manager-certificaterequests-issuer-selfsigned  Certificate fetched from issuer successfully

--
Events:
  Type    Reason              Age   From                                                Message
  ----    ------              ----  ----                                                -------
  Normal  WaitingForApproval  45s   cert-manager-certificaterequests-issuer-venafi      Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  45s   cert-manager-certificaterequests-issuer-acme        Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  45s   cert-manager-certificaterequests-issuer-ca          Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  45s   cert-manager-certificaterequests-issuer-vault       Not signing CertificateRequest until it is Approved
  Normal  WaitingForApproval  45s   cert-manager-certificaterequests-issuer-selfsigned  Not signing CertificateRequest until it is Approved
  Normal  cert-manager.io     45s   cert-manager-certificaterequests-approver           Certificate request has been approved by cert-manager.io
  Normal  CertificateIssued   45s   cert-manager-certificaterequests-issuer-selfsigned  Certificate fetched from issuer successfully

Checklist

  • make test passes
  • make lint passes

Does this PR introduce a user-facing change?

Fix bad config warning when issuing metrics and webhook certificates

@vitorfloriano
fix: add subject to certificates to satisfy cert-manager
94de238 
This fixes an issue in which Cert-Manager would complain
about a badconfig caused by the lack of a domain name,
which would contravene RFC 5280 and could cause problems
with some clients.

The certificates now have .spec.subject.organizations set to k8s-sig-node.
@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Jun 13, 2026
@netlify

netlify Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

Deploy Preview for node-readiness-controller canceled.

Name Link
🔨 Latest commit 94de238
🔍 Latest deploy log https://app.netlify.com/projects/node-readiness-controller/deploys/6a2caa5c989c330008a5ac50

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 13, 2026
@ajaysundark

ajaysundark commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jun 13, 2026
@ajaysundark

ajaysundark commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

/cc
/lgtm

@k8s-ci-robot k8s-ci-robot requested a review from ajaysundark June 13, 2026 06:42
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 13, 2026
@ajaysundark

ajaysundark commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

/approve

@k8s-ci-robot

k8s-ci-robot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ajaysundark, vitorfloriano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 13, 2026
@k8s-ci-robot k8s-ci-robot merged commit bd99fe6 into kubernetes-sigs:main Jun 13, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dchen1107 dchen1107 Awaiting requested review from dchen1107

@SergeyKanzhelev SergeyKanzhelev Awaiting requested review from SergeyKanzhelev

@ajaysundark ajaysundark Awaiting requested review from ajaysundark

Assignees

@ajaysundark ajaysundark

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] BadConfig warning by cert-manager in full install

3 participants

@vitorfloriano @ajaysundark @k8s-ci-robot