HCCM does not remove/update managed certificate

[micheljung]

Version 1.18.0

If you create a service like this:

annotations:
    load-balancer.hetzner.cloud/name: "ingress-nginx"
    load-balancer.hetzner.cloud/location: "nbg1"
    load-balancer.hetzner.cloud/certificate-type: "managed"
    load-balancer.hetzner.cloud/http-managed-certificate-name: "example.com"
    load-balancer.hetzner.cloud/http-managed-certificate-domains: "example.com"

A load balancer and certificate will be created successfully. The certificate will be labeled with the service UID:

However, when the load balancer is removed, the certificate is not. The next time a load balancer is created, HCCM sees that the certificate already exists and won't create it - but it also won't reuse it, because the service UID changed and doesn't match the certificate's label anymore. The HCCM logs:

controller.go:298] error processing service example/ingress-nginx-controller (retrying with exponential backoff): failed to ensure load balancer: hcloud/loadBalancers.EnsureLoadBalancer: hcops/LoadBalancerOps.ReconcileHCLBServices: hcops/hclbServiceOptsBuilder.buildAddServiceOpts: hcops/CertificateOps.GetCertificateByLabel: not found

This could be avoided if:

• HCCM would remove managed certificates when removing the load balancer (potentially undesired)
• HCCM would remove the service label from the certificate when removing the load balancer
• HCCM would add the service label to an existing certificate
• HCCM would match the certificate by name and not by label

[github-actions[bot]]

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.

[micheljung]

Still an issue

[apricote]

Confirmed the issue still exists. I will close this issue in favor of #709 as it has a little bit more details about the bug.