bug: When ingress uses cert-manager to issue a certificate, the route and upstream cannot be generated normally

[shareinto]

Current Behavior

Create an ingress and use cert-manager to issue a certificate. At this time, check the log and find that the secret cannot be found, and the ingress cannot be translated correctly.

kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-codefriend-dns
    kubernetes.io/ingress.class: apisix
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/service-weight: ""
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  name: echo
  namespace: default
spec:
  rules:
  - host: xxxxxxx
    http:
      paths:
      - backend:
          service:
            name: echo-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - xxxxxxx
    secretName: echo

the error log:

2023-03-06T16:54:47+08:00       error   translation/translator.go:134   failed to translate ingress tls to apisix tls   {"error": "secret \"echo\" not found", "ingress": "&Ingress{ObjectMeta:{echo  default  ac5cc100-3927-48a9-a7fe-bfa85de5e71f 395422539 1 2023-03-06 16:54:47 +0800 HKT <nil> <nil> map[] map[cert-manager.io/cluster-issuer:letsencrypt-codefriend-dns kubectl.kubernetes.io/last-applied-configuration:{\"apiVersion\":\"networking.k8s.io/v1\",\"kind\":\"Ingress\",\"metadata\":{\"annotations\":{\"cert-manager.io/cluster-issuer\":\"letsencrypt-codefriend-dns\",\"kubernetes.io/ingress.class\":\"nginx\",\"kubernetes.io/tls-acme\":\"true\",\"nginx.ingress.kubernetes.io/service-weight\":\"\",\"nginx.ingress.kubernetes.io/ssl-redirect\":\"true\"},\"name\":\"echo\",\"namespace\":\"default\"},\"spec\":{\"rules\":[{\"host\":\"echoten.lfszo.codefriend.top\",\"http\":{\"paths\":[{\"backend\":{\"service\":{\"name\":\"echo-service\",\"port\":{\"number\":80}}},\"path\":\"/\",\"pathType\":\"Prefix\"}]}}],\"tls\":[{\"hosts\":[\"echoten.lfszo.codefriend.top\"],\"secretName\":\"echo\"}]}}\n kubernetes.io/ingress.class:nginx kubernetes.io/tls-acme:true nginx.ingress.kubernetes.io/service-weight: nginx.ingress.kubernetes.io/ssl-redirect:true] [] [] [{kubectl-client-side-apply Update networking.k8s.io/v1 2023-03-06 16:54:47 +0800 HKT FieldsV1 {\"f:metadata\":{\"f:annotations\":{\".\":{},\"f:cert-manager.io/cluster-issuer\":{},\"f:kubectl.kubernetes.io/last-applied-configuration\":{},\"f:kubernetes.io/ingress.class\":{},\"f:kubernetes.io/tls-acme\":{},\"f:nginx.ingress.kubernetes.io/service-weight\":{},\"f:nginx.ingress.kubernetes.io/ssl-redirect\":{}}},\"f:spec\":{\"f:rules\":{},\"f:tls\":{}}} }]},Spec:IngressSpec{DefaultBackend:nil,TLS:[]IngressTLS{IngressTLS{Hosts:[echoten.lfszo.codefriend.top],SecretName:echo,},},Rules:[]IngressRule{IngressRule{Host:echoten.lfszo.codefriend.top,IngressRuleValue:IngressRuleValue{HTTP:&HTTPIngressRuleValue{Paths:[]HTTPIngressPath{HTTPIngressPath{Path:/,Backend:IngressBackend{Resource:nil,Service:&IngressServiceBackend{Name:echo-service,Port:ServiceBackendPort{Name:,Number:80,},},},PathType:*Prefix,},},},},},},IngressClassName:nil,},Status:IngressStatus{LoadBalancer:{[]},},}"}

until the secret is created, the ingress is not reprocessed, so the corresponding route and upstream are not created

Expected Behavior

When waiting until the secret is created, the corresponding route and upstream should be created correctly

Error Logs

2023-03-06T16:54:47+08:00 error translation/translator.go:134 failed to translate ingress tls to apisix tls {"error": "secret "echo" not found", "ingress": "&Ingress{ObjectMeta:{echo default ac5cc100-3927-48a9-a7fe-bfa85de5e71f 395422539 1 2023-03-06 16:54:47 +0800 HKT map[] map[cert-manager.io/cluster-issuer:letsencrypt-codefriend-dns kubectl.kubernetes.io/last-applied-configuration:{"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"cert-manager.io/cluster-issuer":"letsencrypt-codefriend-dns","kubernetes.io/ingress.class":"nginx","kubernetes.io/tls-acme":"true","nginx.ingress.kubernetes.io/service-weight":"","nginx.ingress.kubernetes.io/ssl-redirect":"true"},"name":"echo","namespace":"default"},"spec":{"rules":[{"host":"echoten.lfszo.codefriend.top","http":{"paths":[{"backend":{"service":{"name":"echo-service","port":{"number":80}}},"path":"/","pathType":"Prefix"}]}}],"tls":[{"hosts":["echoten.lfszo.codefriend.top"],"secretName":"echo"}]}}\n kubernetes.io/ingress.class:nginx kubernetes.io/tls-acme:true nginx.ingress.kubernetes.io/service-weight: nginx.ingress.kubernetes.io/ssl-redirect:true] [] [] [{kubectl-client-side-apply Update networking.k8s.io/v1 2023-03-06 16:54:47 +0800 HKT FieldsV1 {"f:metadata":{"f:annotations":{".":{},"f:cert-manager.io/cluster-issuer":{},"f:kubectl.kubernetes.io/last-applied-configuration":{},"f:kubernetes.io/ingress.class":{},"f:kubernetes.io/tls-acme":{},"f:nginx.ingress.kubernetes.io/service-weight":{},"f:nginx.ingress.kubernetes.io/ssl-redirect":{}}},"f:spec":{"f:rules":{},"f:tls":{}}} }]},Spec:IngressSpec{DefaultBackend:nil,TLS:[]IngressTLS{IngressTLS{Hosts:[echoten.lfszo.codefriend.top],SecretName:echo,},},Rules:[]IngressRule{IngressRule{Host:echoten.lfszo.codefriend.top,IngressRuleValue:IngressRuleValue{HTTP:&HTTPIngressRuleValue{Paths:[]HTTPIngressPath{HTTPIngressPath{Path:/,Backend:IngressBackend{Resource:nil,Service:&IngressServiceBackend{Name:echo-service,Port:ServiceBackendPort{Name:,Number:80,},},},PathType:*Prefix,},},},},},},IngressClassName:nil,},Status:IngressStatus{LoadBalancer:{[]},},}"}

Steps to Reproduce

1. Create a Ingress like below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-codefriend-dns
    kubernetes.io/ingress.class: apisix
    kubernetes.io/tls-acme: "true"
    nginx.ingress.kubernetes.io/service-weight: ""
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  name: echo
  namespace: default
spec:
  rules:
  - host: xxxxxxx
    http:
      paths:
      - backend:
          service:
            name: echo-service
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - xxxxxxx
    secretName: echo

Environment

• APISIX Ingress controller version (run apisix-ingress-controller version --long)

Git SHA: no-git-module
Go Version: go1.19.4
Building OS/Arch: linux/amd64
Running OS/Arch: linux/amd64

• Kubernetes cluster version (run kubectl version)

Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.6", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", GitTreeState:"clean", BuildDate:"2022-04-14T08:49:13Z", GoVersion:"go1.17.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.11-aliyun.1", GitCommit:"757dfe7e010afcfa31591df65f26b4b80540975e", GitTreeState:"clean", BuildDate:"2022-04-20T09:01:29Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}

• OS version if running APISIX Ingress controller in a bare-metal environment (run uname -a)

[shareinto]

apisix-ingress-controller/pkg/providers/ingress/ingress.go

Line 225 in ea315c0

c.workqueue.Forget(event)

The intention here is that the ingress cannot be found, but the secret cannot be found and enter this branch at the same time, resulting in the ingress being unable to retry in the future

[AlinsRan]

This issue is related to #1190. I will close this issues.
Let us track #1190.