Remove sign request from error queue if cert was generated

[pbabilas]

After update ingress controller, my ClusterRole lost privileges to create and update secrets. Because of this ingress was not able to save secret with cert, and after many retries we get errors with rate limit. Maybe leader should store given certs in pod during that case?

When we get cert from le it is not needed to call to le another time. If something else is wrong.

[jcmoraisjr]

Hi, first of all I recommend you to build a metric collector and maybe track some issues eg cert signing failures, doc here. HAProxy Ingress has some nice metrics and suggested Grafana dashboard. We currently don't have a frontend app so the dashboard act as such and you can see what's happening inside the controller and the proxy itself. Besides that, such failure is also issued in the controller log.

Regarding the proposal, all the certificate generation flow was designed to work in a stateless way, I need to think a bit more about how to store an intermediate state in de process - generated but not applied. Perhaps a new workqueue should do the job.

Regarding the error itself I think that the current configuration is a bit tricky and should be provided in an simple-fast-all-in-one configuration. I'll also have a look at it.

[pbabilas]

Hi, I know what was my problem ;) but its just proposal, that if something is wrong but certificate was created it should not be needed to request it again and again ;] Nothing crucial and critical but nice to have.