Skip to content

Update setup_singleton.sh to support F5 Cert Manager#2626

Open
aaronmcohen wants to merge 1 commit intoIBM:scripts-devfrom
aaronmcohen:patch-1
Open

Update setup_singleton.sh to support F5 Cert Manager#2626
aaronmcohen wants to merge 1 commit intoIBM:scripts-devfrom
aaronmcohen:patch-1

Conversation

@aaronmcohen
Copy link
Copy Markdown
Member

@aaronmcohen aaronmcohen commented Sep 18, 2025

What this PR does / why we need it:

The F5 certificate manager is a fork of the community certificate manager which should be ignored by the script as it confined to a single namespace and uses different CRDs.

https://clouddocs.f5.com/service-proxy/latest/spk-cert-manager.html

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

  1. How the test is done?

How to backport this PR to other branch:

  1. Add label to this PR with the target branch name backport <branch-name>
  2. The PR will be automatically created in the target branch after merging this PR
  3. If this PR is already merged, you can still add the label with the target branch name backport <branch-name> and leave a comment /backport to trigger the backport action

pgodowski
pgodowski approved these changes Sep 18, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@pgodowski pgodowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some clarifying question asked, @aaronmcohen pls clarify

cp3pt0-deployment/setup_singleton.sh
info "Checking cert manager readiness."
#check webhook pod runnning
local name="cert-manager-webhook"
local f5_exclude_name="f5-cert-manager-webhook"
Copy link
Copy Markdown
Contributor

@pgodowski pgodowski Sep 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this a confirmed name, could it be customized at F5 cert manager install time?

Copy link
Copy Markdown
Member Author

@aaronmcohen aaronmcohen Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pgodowski This is based on F5's documentation https://clouddocs.f5.com/service-proxy/latest/spk-cert-manager.html. I don't see any option to customize it. That being said somewhere in the universe will be a admin who chooses to edit the contents of F5's helm chart. Based on that concern... Should name and f5_exclude_name pull from an environment variable?

@ibm-ci-bot
Copy link
Copy Markdown
Contributor

ibm-ci-bot commented Sep 18, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aaronmcohen, pgodowski
Once this PR has been reviewed and has the lgtm label, please assign ycshen1010 for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kc0olm
Copy link
Copy Markdown

kc0olm commented Sep 24, 2025

Personally I think this script needs some more work - for example, not only f5 - we need to allow ANY cert-manager that has the same code base (community edition); otherwise, we will be back here again.

Is there truly a very specific protocol in watsonx software that can not be handled by any cert-manager, with the correct configuration, i.e. watching distinct namespaces to avoid collision?

So ideally, the script will 1) check for more than 1 cert manager 2) examine the namespace scope, annotations, and labels, and look for collision then 3) if there is a collision, THEN fail 4) if no collision, please let us get on with the upgrade ;-)

@aaronmcohen
Copy link
Copy Markdown
Member Author

aaronmcohen commented Sep 24, 2025

Personally I think this script needs some more work - for example, not only f5 - we need to allow ANY cert-manager that has the same code base (community edition); otherwise, we will be back here again.

Is there truly a very specific protocol in watsonx software that can not be handled by any cert-manager, with the correct configuration, i.e. watching distinct namespaces to avoid collision?

So ideally, the script will 1) check for more than 1 cert manager 2) examine the namespace scope, annotations, and labels, and look for collision then 3) if there is a collision, THEN fail 4) if no collision, please let us get on with the upgrade ;-)

@kc0olm I agree the script could be improved. However could we separate that effort from this PR which is to unblock Verizon?

@kc0olm
Copy link
Copy Markdown

kc0olm commented Oct 10, 2025

@pgodowski Thanks for working on this. Unfortunately I need a hotfix or workaround right now - I am all done upgrading Verizon - except for the Licensing Server, which won't upgrade if it finds two cert-managers. Actually, it causes another embarassing problem where we had to go deep into the yaml files and add a line in several places to indicate the "custom" certmanager. It's just not good to be editing Operator code on the fly, with the customer watching.

zenMessage: |-
    6.2.1/roles/0010-infra has failed with error: MODULE FAILURE: No start of json char found
    See stdout/stderr for the exact error
  reconcileHistory:
    - |-
      2025-10-09T22:51:37.24285Z 6.2.1/roles/0010-infra has failed with error: MODULE FAILURE: No start of json char found
      See stdout/stderr for the exact error

https://github.ibm.com/PrivateCloud-analytics/Zen/issues/43592

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pgodowski pgodowski pgodowski approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aaronmcohen @ibm-ci-bot @kc0olm @pgodowski