New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow ingressClassName
to be set for HTTP01 solver ingresses.
#4821
Comments
Thanks for opening the issue and the good problem description.
Would using the existing |
Hey @irbekrm, thanks for the reply! I think using the annotation should work! I will give it a shot early next week and report back. But still, I think the ability of adding the |
It's a good solution, but it wouldn't work in cases where something like ArgoCD or Flux is used to make sure what is deployed into the cluster matches what is specified in a Git repository. Those tools would just instantly overwrite the in-place edit cert-manager would do. |
IMHO this should be reclassified as a bug: many ingress controllers don't support the ingress annotation anymore that gets set when a For Update: and to make things worse, Update 2: I found the discussions about reverting to the annotation and I'm a bit surprised that there is no forward compatibility with |
Agree regarding the missing forward compatibility, as i do have to deal with the same issue. My workaround currently (using ingress-nginx 1.1.1 & cert-manager 1.7.1) is to delete the failed order & certificaterequest, retrigger the renewal with:
get the created ingress object as fast as possible after creation:
and patch the ingress object with the ingressClassName the ingress-nginx controller is using:
Would be great if the service is getting created with ingressClassName, as in my case i already completley moved away from any annotation related to ingress in my cluster. Also it should be seen as deprecated since k8s 1.18. Update: Now with ingress-nginx 1.1.2, they provide a backwards compatibility to the annotation, which makes my workaround obsolete. Anyway, a support for ingressClassName would be great :) |
Thanks for that patch line, @auwaerter. I hope this gets fixed soon, because it's a bit of a pain. |
Same here. It's definitely a regression bug to revert to the annotation. Stupid question, why not set both? (Annotation + ingressClassName) |
There are some (rather lengtly) discussions that shows how/why that decision was made here #4537 and on Slack here with some more links, but TLDR is backwards compatibility |
Could a solution be for cert manager to set the ingressclassname if it can see an ingressclassresource with the same class name, and set the annotation otherwise? Either way, being able to choose to adopt the behavior through a different annotation or field would be sufficient for our uses. |
We're stuck between a rock and a hard place here. Unless a conformance test for Ingress is written and adhered to by all Ingress controllers we have to choose the most compatible option, which is still currently the annotation. I still don't believe we can use ingressClassName on ingress-gce for example. (kubernetes/ingress-gce#1301) Perhaps we could add a feature gate command line flag to cert-manager that chooses between the annotation and spec versions of ingress class? I don't want to change our API (crds) for this. |
Hi all, This is a big issue, and now even using the "http01-edit-in-place: "true" annotation could be resolved the problem completely. The solution proposed by @Robfz is great, but with some changes maybe, example solvers: |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale We're using cert-manager with Kong Ingress Controller and rely upon the ingress class being set correctly. Once PR #4439 was reverted, this broke our setup. It appears that the Kong Ingress Controller does not honor the annotation IMO, having a feature flag to enable use of Unfortunately we're not able to use the annotation Edit: After doing more testing, we found that Kong Ingress Controller was correctly processing the deprecated annotation. We think a separate config issue was the real cause for our issues. This is working fine for us now. |
bumping this... trying to use cilium's ingress controller and it requires |
Also the "blocking" issue with kubernetes/ingress-gce#1301 has been closed now. It would be appreciated if when v1 is detected, that it uses |
just wasted 8 hours wondering why I get 404... turns out it's because the annotation doesn't work or is not picked up by cert-manager... works fine with edit-in-place but for how long? |
Any updates on this? How are we supposed to move forward? |
This cluster issuer deployment seems to work for me. https://gist.github.com/dvjjoling/0a4bb444cc3fca9f65d55e4b0fff784a |
ingress-gce now only uses v1 apis, so this is no longer an issue |
@Robfz I would change solvers:
- http01:
ingress:
ingressClassName: external-nginx to solvers:
- http01:
ingress:
className: external-nginx
|
@irbekrm Hello from the community! We are struggling without this feature because the only option left for us now is to add issuer per ingress class, which leads to many letsencrypt issuers like letsencrypt-nginx, letsencrtypt-class-1, letsencrtypt-class-2, etc. What can we do to move this forward? Thank you in advance for all your work. |
Hi @nabokihms there isn't really many options for us- we cannot start using the field instead of annotation as it would break backwards compatibility and both the field and the annotation aren't supported. I would be open to the idea of adding a flag as per #5225 but we need to understand whether that is a solution that would work
Again linking this Slack chat with sig-network folks for context https://kubernetes.slack.com/archives/C09QYUH5W/p1641818790038500 |
I upgraded our helm chart for ingress-nginx from 4.4.0 to 4.5.2 and it looks like it has fixed it. |
In the OP's case, ingress-nginx (>v1.0.1) already picks up ingresses that have the I have looked at 13 ingress controllers, and the only one that doesn't support the Note: the annotation The real problem is that cert-manager can't be configured to work with an IngressClass. The ingress controller that is used by cert-manager can't be configured with an IngressClassParams resource. I suggest that we move on with implementing #5225 in a backwards-compatible way. |
Is your feature request related to a problem? Please describe.
I have multiple
IngressControllers
running in my cluster. Each of them is configured to only control ingresses with a givenIngressClass
(as described in Ingress Nginx documentation). With the recent revert of changes derived from this discussion (#4537 (comment)), if I add theclass
property to the solver'sIngress
spec, the now deprecatedkubernetes.io/ingress.class
annotation will be used:This will result in the
Ingress
created by the solver to never being picked up by anyIngressController
, resulting in the inability of the solver to complete the challenge. Currently, we are solving this by manually editing the Ingress deployment to include the desiredingressClassName
, but this implies manual work every time new certificates need to be updated/issued.Describe the solution you'd like
I understand (and agree) that maintaining compatibility is important. Given my limited context of this project, it would be nice to have the option to set the
ingressClassName
like this:This way, the
class
attribute could still be implemented with the anotation, and newer clients could opt-in to useIngressClasses
.Describe alternatives you've considered
We could probably use another
IngressController
without anyIngressClass
set in its configuration, allowing it to pickup the ingresses created bycert-manager
, but that seems more like a workaround that a solution.Additional context
None, but may provide more if asked.
Environment details (remove if not applicable):
/kind feature
The text was updated successfully, but these errors were encountered: