Explain how to optimise cert-manager for scale #1458
Conversation
jetstack-bot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
wallrj
force-pushed
the
551-large-clusters
branch
2 times, most recently
from
716fcff to
131a9ad
Compare
jetstack-bot
added
size/L
wallrj
force-pushed
the
551-large-clusters
branch
2 times, most recently
from
e70bd00 to
6697ab9
Compare
wallrj
force-pushed
the
551-large-clusters
branch
from
6697ab9 to
f76b760
Compare
jetstack-bot
added
size/XXL
wallrj
force-pushed
the
551-large-clusters
branch
from
f8e361f to
2617f1c
Compare
| ```yaml | ||
| config: | ||
| apiVersion: controller.config.cert-manager.io/v1alpha1 | ||
| kind: ControllerConfiguration | ||
| kubernetesAPIQPS: 10000 | ||
| kubernetesAPIBurst: 10000 | ||
| ``` |
There was a problem hiding this comment.
Where is this YAML supposed to be configured? Is that in the Helm chart?
Ah, this is a "ControllerConfiguration" file. I didn't know cert-manager had a file-based configuration format 😅
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
wallrj
force-pushed
the
551-large-clusters
branch
2 times, most recently
from
849e187 to
e859aeb
Compare
cert-manager-prow
bot
added
size/L
wallrj
changed the title
cert-manager-prow
bot
removed
the
do-not-merge/work-in-progress
|
@maelvls @hawksight I've simplified the content and removed all the distracting evidence files. |
wallrj
force-pushed
the
551-large-clusters
branch
from
a99a938 to
6592015
Compare
inteon
changed the title
cert-manager-prow
bot
added
the
approved
Co-authored-by: Maël Valais <mael@vls.dev> Signed-off-by: Richard Wall <wallrj@users.noreply.github.com>
| > 📖 Learn [how to set Certificate defaults automatically](../tutorials/certificate-defaults/README.md), using tools like Kyverno. | ||
|
|
||
|
|
||
| ## Set `revisionHistoryLimit: 1` on all Certificate resources |
There was a problem hiding this comment.
| > | ||
| > 📖 Learn [how to set `revisionHistoryLimit` when using Annotated Ingress resources](../usage/ingress.md#supported-annotations). | ||
| > | ||
| > 🔗 Read [`cert-manager#3773`: Certificate revision history limit](https://github.com/cert-manager/cert-manager/pull/3773), |
There was a problem hiding this comment.
@wallrj It is quite hard to find a "why" in that pull request, didn't we discuss in one of our standups that we should update the cert-manager code and set a sane default value?
There was a problem hiding this comment.
Agreed. I've replaced that link with cert-manager/cert-manager#3958 so that users can go and vote for that change.
| apiVersion: controller.config.cert-manager.io/v1alpha1 | ||
| kind: ControllerConfiguration | ||
| featureGates: | ||
| AllBeta: true |
There was a problem hiding this comment.
Isn't this the default? Do we have to specifically enable AllBeta here?
There was a problem hiding this comment.
I think so, but I cannot find the exact place in the code that says as such.
It can be good to be explicit in whats enable with helm values, but it's a preference choice.
@wallrj - assuming this is default, I'd drop that flag.. OR just add a comment that this is the default for reference.
There was a problem hiding this comment.
Agreed. Dropped. I think I assumed it necessary, because I saw it in the E2E setup scripts:
There was a problem hiding this comment.
Easy to read and better docs that what we currently have :)
Left a minor syntax comment.
Also a possible change or clarification on waht @inteon spotted too.
But otherwise I appreciate the links for futher reading / justification. Especially since some of those are to the defaults tutorial 🎉
| ## Enable Server-Side Apply | ||
|
|
||
| By default, cert-manager [uses Update requests](https://kubernetes.io/docs/reference/using-api/api-concepts/#update-mechanism-update) | ||
| to create and modify resources like CertificateRequest and Secret, |
There was a problem hiding this comment.
| to create and modify resources like CertificateRequest and Secret, | |
| to create and modify resources like `CertificateRequest` and `Secret`, |
| apiVersion: controller.config.cert-manager.io/v1alpha1 | ||
| kind: ControllerConfiguration | ||
| featureGates: | ||
| AllBeta: true |
There was a problem hiding this comment.
I think so, but I cannot find the exact place in the code that says as such.
It can be good to be explicit in whats enable with helm values, but it's a preference choice.
@wallrj - assuming this is default, I'd drop that flag.. OR just add a comment that this is the default for reference.
Signed-off-by: Richard Wall <richard.wall@venafi.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hawksight, inteon, maelvls The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Preview: https://deploy-preview-1458--cert-manager-website.netlify.app/docs/devops-tips/scaling-cert-manager/
Fixes: #551
Fixes: cert-manager/cert-manager#3971
@maelvls I've written some general guidance for right sizing cert-manager for both large and small clusters.