Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

help request: ingress TLS certificate update #1190

Closed
wangyp0701 opened this issue Jul 26, 2022 · 5 comments · Fixed by #1243 or #1715
Closed

help request: ingress TLS certificate update #1190

wangyp0701 opened this issue Jul 26, 2022 · 5 comments · Fixed by #1243 or #1715
Assignees
@lingsamuel
Labels
question Further information is requested triage/accepted Indicates an issue or PR is ready to be actively worked on.
Milestone
v1.6.0

Comments

@wangyp0701
Copy link
Contributor

wangyp0701 commented Jul 26, 2022
edited
Loading

Description

Apisix configures the ingress TLS certificate, which is normal at first. After a period of time, the domain name certificate in ingress is not updated after the TLS certificate is updated。
Apisixroutes + apisixtlses can update TLS normally

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{},"name":"nginx-1","namespace":"default"},"spec":{"ingressClassName":"apisix","rules":[{"host":"13.k.3.com","http":{"paths":[{"backend":{"service":{"name":"nginx-1","port":{"number":80}}},"path":"/","pathType":"Prefix"}]}}],"tls":[{"hosts":["13.k.3.com"],"secretName":"test-zero.tls"}]}}
  creationTimestamp: "2022-04-15T08:49:13Z"
  generation: 1
  name: nginx-1
  namespace: default
  resourceVersion: "3390038"
  uid: 0eb29c54-cdca-4668-81ba-8895f9a50cfa
spec:
  ingressClassName: apisix
  rules:
  - host: 13.k.3.com
    http:
      paths:
      - backend:
          service:
            name: nginx-1
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - 13.k.3.com
    secretName: test-zero.tls
status:
  loadBalancer: {}

Environment

  • APISIX version ( 2.13.1):
  • Operating system (4.15.0-173-generic):
  • OpenResty / Nginx version (run openresty -V or nginx -V):
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
  • APISIX Dashboard version, if relevant:
  • Plugin runner version, for issues related to plugin runners:
  • LuaRocks version, for installation issues (run luarocks --version):
@spacewander spacewander transferred this issue from apache/apisix Jul 26, 2022
@tao12345666333
Copy link
Member

After a period of time, the domain name certificate in ingress is not updated after the TLS certificate is updated。

How did you renew the certificate?

@tao12345666333 tao12345666333 added the question Further information is requested label Jul 26, 2022
@wangyp0701
Copy link
Contributor Author

I update automatically through cert-Manager

@tao12345666333
Copy link
Member

Can you provide a minimal steps to reproduce? Thanks

@wangyp0701
Copy link
Contributor Author

wangyp0701 commented Jul 27, 2022
edited
Loading

Can you provide a minimal steps to reproduce? Thanks

I don't know how to reproduce it.

image
It points to the same secretname

image
apisixroute

image
ingress

Certificate status

root@k8s-master1:~/yml/cert-manager# kubectl describe certificate t.ebuick-3 
Name:         t.ebuick-3
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-04-13T04:13:22Z
  Generation:          1
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:commonName:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-04-13T04:13:22Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:notAfter:
        f:notBefore:
        f:renewalTime:
        f:revision:
    Manager:         controller
    Operation:       Update
    Subresource:     status
    Time:            2022-06-12T15:59:59Z
  Resource Version:  25876764
  UID:               dcf95a19-40f9-450d-9a6b-221c4fcd5789
Spec:
  Common Name:  k.ebuick-3.com
  Dns Names:
    k.ebuick-3.com
    *.k.ebuick-3.com
  Issuer Ref:
    Kind:       ClusterIssuer
    Name:       dnspod-zerossl-prod
  Secret Name:  test-zero.ebuick-3-tls
Status:
  Conditions:
    Last Transition Time:  2022-04-13T04:16:50Z
    Message:               Certificate is up to date and has not expired
    Observed Generation:   1
    Reason:                Ready
    Status:                True
    Type:                  Ready
  Not After:               2022-09-15T23:59:59Z
  Not Before:              2022-06-17T00:00:00Z
  Renewal Time:            2022-08-16T15:59:59Z
  Revision:                2
Events:                    <none>

@tao12345666333 tao12345666333 added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Jul 29, 2022
@tao12345666333 tao12345666333 added this to the v1.6.0 milestone Jul 29, 2022
@lingsamuel lingsamuel mentioned this issue Aug 12, 2022
Merged
1 task
Repository owner moved this from In Progress to Done in Apache APISIX Ingress controller Sep 21, 2022
@tao12345666333
Copy link
Member

Recently @AlinsRan reproduced this issue in v1.6, @lingsamuel PTAL

@tao12345666333 tao12345666333 reopened this Mar 6, 2023
@lingsamuel lingsamuel self-assigned this Mar 7, 2023
@lingsamuel lingsamuel mentioned this issue Mar 8, 2023
Merged
1 task
@AlinsRan AlinsRan mentioned this issue Mar 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lingsamuel lingsamuel

Labels
question Further information is requested triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
Apache APISIX Ingress controller
Archived in project
Milestone
v1.6.0
3 participants
@tao12345666333 @lingsamuel @wangyp0701