What's new
Adds opt-in remote certificate cleanup when a watched Kubernetes TLS secret is deleted. Closes #50.
By default, behavior is unchanged: deleting a Kubernetes TLS secret leaves the corresponding remote certificate in place. To opt in, set the per-secret annotation or the cluster-wide env var.
Per-secret opt-in
metadata:
annotations:
cert-manager-sync.lestak.sh/sync-enabled: "true"
cert-manager-sync.lestak.sh/delete-policy: "delete" # default is "retain"Cluster-wide opt-in
Set DELETE_POLICY=delete on the operator. Per-secret annotations always override.
Per-store delete support
| Store | Supported |
|---|---|
| AWS ACM | yes |
| Cloudflare | yes |
| DigitalOcean | yes |
| Filepath | yes |
| Google Cloud Certificate Manager | yes |
| HashiCorp Vault | yes (KV v2 soft-delete) |
| Heroku | yes (deletes the SNI endpoint) |
| Hetzner Cloud | yes |
| Imperva / Incapsula | no — see docs |
| ThreatX | no — see docs |
Operator config
| Env var | Default | Purpose |
|---|---|---|
DELETE_POLICY
| retain
| Cluster-wide default; delete enables cleanup for every watched secret
|
DELETE_BLOCKING
| true
| When true, finalizer is never force-removed (Kubernetes-idiomatic). Set to false to force-remove after MAX_DELETE_ATTEMPTS.
|
MAX_DELETE_ATTEMPTS
| 10
| Only consulted when DELETE_BLOCKING=false. 0 means retry forever.
|
Implementation highlights
- Uses a finalizer (
cert-manager-sync.lestak.sh/cleanup) so deletion is gated until cleanup succeeds. - Strategic merge patch with
$deleteFromPrimitiveListfor finalizer add/remove — concurrent finalizers from other controllers are preserved. - NotFound responses from remote APIs are treated as success (idempotent re-runs).
- Missing per-store identifiers (cert-id, cert-arn, etc.) are treated as success on delete so opt-in secrets that never completed an initial sync are not wedged.
- Bookkeeping annotations (
delete-attempts,next-delete) are excluded from the cache hash to prevent spurious re-syncs. - Helm chart bumped to 1.5.0; new env vars exposed as
config.deletePolicy,config.maxDeleteAttempts,config.deleteBlocking.
See the Cleaning up remote certificates on secret deletion section of the README for full details, including the namespace-deletion caveat and uninstall guidance.
Thanks to @aniketwdubey for the well-scoped issue and design discussion.