cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

[octavia-ingress-controller] - Could not retrieve certificate

Open lenglet-k opened this issue 3 years ago • 0 comments

/kind bug

What happened: I deployed Octavia Ingress Controller in Kubernetes cluster and when octavia attempt to create resources for ingress it get this error

INFO   [2022-09-19T16:04:54Z] secret created in Barbican                    ingress=ingress/exploitation-ingress-rules lbID=0c58e5f4-091a-44b6-b04e-aebc1895251c secretName=kube_ingress_rbs_ingress_exploitation-ingress-rules_monitoring-secret secretRef="https://key-managerxx.yyy.aaa.net/v1/secrets/XXXXX"

INFO   [2022-09-19T16:04:55Z] creating listener                             lbID=XXXX listenerName=kube_ingress_rbs_ingress_exploitation-ingress-rules
E0919 16:04:58.075473       1 controller.go:521] failed to create openstack resources for ingress ingress/exploitation-ingress-rules: error creating listener: Bad request with: [POST https://load-balancer.xxx.yyy.aaa.net/v2.0/lbaas/listeners], error message: {"faultcode": "Client", "faultstring": "Could not retrieve certificate: ['https://key-manager.xxx.yyy.aaa.net/v1/secrets/XXXX', 'https://key-manager..xxx.yyy.aaa.net/v1/secrets/XXXX']", "debuginfo": null}
I0919 16:04:58.075610       1 event.go:285] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"ingress", Name:"exploitation-ingress-rules", UID:"b0c9fca6-583c-4757-8317-c81785c9855c", APIVersion:"networking.k8s.io/v1", ResourceVersion:"2888684143", FieldPath:""}): type: 'Warning' reason: 'Failed' Failed to create openstack resources for ingress ingress/exploitation-ingress-rules: error creating listener: Bad request with: [POST https://load-balancer..xxx.yyy.aaa.net/v2.0/lbaas/listeners], error message: {"faultcode": "Client", "faultstring": "Could not retrieve certificate: ['https://key-manager.xxx.yyy.aaa.net/v1/secrets/XXX', 'https://key-manager.xxx.yyy.aaa.net/v1/secrets/XXX']", "debuginfo": null}

The listener creation failed. The certificate exist in barbican.

What you expected to happen: The listener and all ressources must be created

How to reproduce it:

  • Use Managed Kubernetes Service on OVH
  • Create secret in kubernetes
  • Deploy octavia ingress controller
  • Create ingress rule and see log

Environment:

  • octavia-ingress-controller: 1.24.2
  • OpenStack version: Stein
  • Kubernetes 1.22

lenglet-k avatar Sep 20 '22 07:09 lenglet-k