Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[octavia-ingress-controller] failure to use cert-manager + Let's Encrypt #2627

Open
jouvin opened this issue Jul 15, 2024 · 3 comments
Open

[octavia-ingress-controller] failure to use cert-manager + Let's Encrypt #2627

jouvin opened this issue Jul 15, 2024 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@jouvin
Copy link

jouvin commented Jul 15, 2024

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

/kind feature

What happened:

I have a K8s 1.28 cluster configured with the octaiva-ingress-controller v1.29.0. I'm trying to configure TLS using the cert-manager with the Let's Encrypt backend. I followed instructions at https://github.com/cert-manager/cert-manager and https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/octavia-ingress-controller/using-octavia-ingress-controller.md#enable-tls-encryption to configure a test web server with TLS enabled.

The certificate and private key are created as showed by kubectl describe certificate/secret. The challenges succeeds and every looks ok on the Let's Encrypt Side. But the ingress fails to start with the following events:

  Type     Reason             Age   From                          Message
  ----     ------             ----  ----                          -------
  Normal   Creating           39m   openstack-ingress-controller  Ingress default/test-octavia-ingress-controller
  Normal   CreateCertificate  39m   cert-manager-ingress-shim     Successfully created Certificate "letsencrypt-staging"
  Warning  Failed             38m   openstack-ingress-controller  Failed to create openstack resources for ingress default/test-octavia-ingress-controller: failed to create Barbican secret: secrets "letsencrypt-staging" not found

What you expected to happen:

I expected the ingress to be able to use the created certificate and to start successfully! The same ingress configuration works if a "static certificate" (not managed by cert-manager) is used.

I suspect it is because the secret created by cert-manager has a suffix (letsencrypt-staging-mfzml instead of letsencrypt-staging).

How to reproduce it:

Configure cert-manager and the the ingress service according to the mentioned documentation.

Anything else we need to know?:

I attach:

  • the YAML file I used to configure Ingress and test service (ommitting the account config, which works as mentioned above).
  • kubectl describe certificate output
  • kubectl describe ingressoutput

Environment:

  • openstack-cloud-controller-manager(or other related binary) version: 1.28
  • OpenStack version: Antelope
  • Others:
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 15, 2024
@jichenjc
Copy link
Contributor

I suspect it is because the secret created by cert-manager has a suffix (letsencrypt-staging-mfzml instead of letsencrypt-staging).

I didn't use let's encrypt before, did you have chance to try the suffix and no suffix case to confirm this error?

@jouvin
Copy link
Author

jouvin commented Sep 12, 2024

Sorry for the late follow-up after the summer break... I'm still fighting with this problem.

@jichenjc you mentioned suffix and no_suffix but I was not able to find any documentation about them? How do you do that? I suspect it is a label or an annotation in the YAML file but no sure what the exact syntax...

I troubleshooted more the problem and the presence of the suffix is because the secret is created with a temporary name until the challenge has succeeded. But because of this temporary name (with a suffix), the ingress fails to be created because of Barbican error not finding the secret to copy... A chick&egg problem. I found in https://devops.stackexchange.com/questions/19425/error-configuring-tls-error-secret-xxx-does-not-exist/19426#19426 the suggestion to add the following line but it has not worked yet...

acme.cert-manager.io/http01-edit-in-place: "true"  # Remove secret suffix according to

Has somebody succeeded to get Let's Encrypt working with the Octavia Ingress controller?

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jouvin @jichenjc @k8s-ci-robot @k8s-triage-robot