New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ingress with multiple hosts will break ingress when new hosts are added #974
Comments
I run into the same problem. I checked with v0.5.0 and v0.4.1. |
I think I might be experiencing a similar issue, except my issue happens when any of the certificates are automatically renewed when the expiry date is within 30 days. When a certificate is renewed then all hosts are deleted from the ingress, leaving only the default backend. Here are my annotations:
Environment:
I'm wondering if this issue can be avoided by not using the Is anyone else experiencing this? |
@pkdetlefsen My config was exactly same as yours. If I remove "certmanager.k8s.io/acme-http01-edit-in-place", cert-manager create another ingress than current ingress. That new ingress can't accept "challenge" because ip address is different than the domain's one. If I use v0.4.1 with the config, it works well. |
Ah, that's right. Just remembered that I started using the option to get around that issue. |
@wapa5pow I took a look at #831, which you mentioned. As I understand the code it loops through the rules of your Ingress to find the domain matching your certificate. Once it finds the matching host it checks if it contains the temporary path used for the ACME challenge and deletes that path if it exists. If there are more paths remaining then that rule is saved. However, it seems like all the rules that doesn't match the certificate domain are simply dropped because none of them are added to the Perhaps we need an |
btw. I have |
@pkdetlefsen How are you comparing rules? Are you just compare strings (what about wildcards in pathes)? I just have same issue and I'm not sure what caused it. But I have locations '/*' |
I think the cleanup process uses string comparison between the host in the rules section and the domain in the certificate. I would need someone familiar with the code to confirm/deny whether the issue is actually caused by #831 or not. |
Describe the bug:
well it's hard to describe and my title is probably not good, feel free to edit.
currently if my ingress is big:
cert-manager will now break the ingress if I would add a new host/tld, i.e. I add tld4.de and www.tld4.de to tls rules and host rules.
i.e. it will remove all OTHER hosts from the rules section and only add the two ones that need a new certificate, after that all other ingress rules are lost forever, however the tls section will be kept.
i.e. the ingress after adding the new host will be changed by cert-manager to:
instead of keeping my good old host list
Expected behaviour:
A concise description of what you expected to happen.
only updating values and not discaring correct entries. never actually remove sections from the ingress
Steps to reproduce the bug:
Steps to reproduce the bug should be clear and easily reproducible to help people
gain an understanding of the problem.
create a ingress like me and add hosts after you already have a valid certificate
Anything else we need to know?:
I'm like 60% sure that this behavior worked fine in 0.4
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: