cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

[octavia-ingress-controller] failure to use cert-manager + Let's Encrypt

Open jouvin opened this issue 7 months ago • 2 comments

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

/kind feature

What happened:

I have a K8s 1.28 cluster configured with the octaiva-ingress-controller v1.29.0. I'm trying to configure TLS using the cert-manager with the Let's Encrypt backend. I followed instructions at https://github.com/cert-manager/cert-manager and https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/octavia-ingress-controller/using-octavia-ingress-controller.md#enable-tls-encryption to configure a test web server with TLS enabled.

The certificate and private key are created as showed by kubectl describe certificate/secret. The challenges succeeds and every looks ok on the Let's Encrypt Side. But the ingress fails to start with the following events:

  Type     Reason             Age   From                          Message
  ----     ------             ----  ----                          -------
  Normal   Creating           39m   openstack-ingress-controller  Ingress default/test-octavia-ingress-controller
  Normal   CreateCertificate  39m   cert-manager-ingress-shim     Successfully created Certificate "letsencrypt-staging"
  Warning  Failed             38m   openstack-ingress-controller  Failed to create openstack resources for ingress default/test-octavia-ingress-controller: failed to create Barbican secret: secrets "letsencrypt-staging" not found

What you expected to happen:

I expected the ingress to be able to use the created certificate and to start successfully! The same ingress configuration works if a "static certificate" (not managed by cert-manager) is used.

I suspect it is because the secret created by cert-manager has a suffix (letsencrypt-staging-mfzml instead of letsencrypt-staging).

How to reproduce it:

Configure cert-manager and the the ingress service according to the mentioned documentation.

Anything else we need to know?:

I attach:

  • the YAML file I used to configure Ingress and test service (ommitting the account config, which works as mentioned above).
  • kubectl describe certificate output
  • kubectl describe ingressoutput

Environment:

  • openstack-cloud-controller-manager(or other related binary) version: 1.28
  • OpenStack version: Antelope
  • Others:

jouvin avatar Jul 15 '24 11:07 jouvin