Cert-manager: ingress-shim does not update Certificate resource if _any_ `ingress.tls.hosts` entries are invalid

Created on 22 Aug 2019 · 9Comments · Source: jetstack/cert-manager

Describe the bug:
When I update an ingress with a new route and a new hostname to tls-section(I add the new hostname to the list of hosts. I can see that cert-manager syncs the updated ingress, but it does not update the certificate (nor updates the order or create any new challenges). Obviously the secret is not updated either.

If I manually update the Certificate, everything else works as expected (order is updated and challenge is created, in the end the secret/tls-certificate is updated and valid).

Expected behaviour:
I expect the Certificate to be updated.

Steps to reproduce the bug:
I'm not sure... This is my (slightly redacted for readability) ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    certmanager.k8s.io/issuer: nefle-issuer-traefik
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Ingress", XXXX}
    kubernetes.io/ingress.class: traefik1
    traefik.ingress.kubernetes.io/redirect-entry-point: https
  creationTimestamp: "2019-07-03T07:31:59Z"
  generation: 211
  name: traefik-ingress
  namespace: nefle
  resourceVersion: "70993933"
  selfLink: /apis/extensions/v1beta1/namespaces/nefle/ingresses/traefik-ingress
  uid: a48c3a7c-9d64-11e9-ad49-42010aa60151
spec:
  rules:
  - host: '*.demo.nefle.no'
    http:
      paths:
      - backend:
          serviceName: nefle
          servicePort: 3000
        path: /
  - http:
      paths:
      - backend:
          serviceName: nefle
          servicePort: 3000
        path: /
  - host: demo.nefle.no
    http:
      paths:
      - backend:
          serviceName: nefle
          servicePort: 80
        path: /
  - host: test.r6.no
    http:
      paths:
      - backend:
          serviceName: nefle
          servicePort: 80
        path: /
  - host: www.test.r6.no
    http:
      paths:
      - backend:
          serviceName: nefle
          servicePort: 80
        path: /
  - host: www.nytt.r6.no
    http:
      paths:
      - backend:
          serviceName: nefle
          servicePort: 3000
        path: /
  - host: nytt.r6.no
    http:
      paths:
      - backend:
          serviceName: nefle
          servicePort: 3000
        path: /
  tls:
  - hosts:
    - demo.nefle.no
    - test.r6.no
    - www.test.r6.no
    - www.nytt.r6.no
    - nytt.r6.no
    secretName: all-nefle-cert
  - secretName: nefle-cert
status:
  loadBalancer: {}

And my certificate:

 apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  creationTimestamp: "2019-07-04T09:27:05Z"
  generation: 1
  name: all-nefle-cert
  namespace: nefle
  ownerReferences:
  - apiVersion: extensions/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: Ingress
    name: traefik-ingress
    uid: a48c3a7c-9d64-11e9-ad49-42010aa60151
  resourceVersion: "70327646"
  selfLink: /apis/certmanager.k8s.io/v1alpha1/namespaces/nefle/certificates/all-nefle-cert
  uid: e33c6cbb-9e3d-11e9-ad49-42010aa60151
spec:
  dnsNames:
  - demo.nefle.no
  - test.r6.no
  - www.test.r6.no
  issuerRef:
    kind: Issuer
    name: nefle-issuer-traefik
  secretName: all-nefle-cert
status:
  conditions:
  - lastTransitionTime: "2019-08-20T08:00:20Z"
    message: Certificate is up to date and has not expired
    reason: Ready
    status: "True"
    type: Ready
  lastFailureTime: "2019-08-05T15:33:36Z"
  notAfter: "2019-11-18T07:00:18Z"

Anything else we need to know?:

Environment details::

Kubernetes version (e.g. v1.12.7-gke.25):
Cloud-provider: GKE
cert-manager version: 0.9.1
Install method: Helm

/kind bug

areingress-shim good first issue help wanted kinbug prioritimportant-longterm

Source

Richard87

Most helpful comment

/assign

irbekrm on 29 Jan 2021

🚀1 🎉1

All 9 comments

The problem was the empty hosts element for the secret 'all-nefle-cert', CertManager assumed the Ingress is not valid, and ignores any changes.

The Error event that is returned is not visible in the logs...
https://github.com/jetstack/cert-manager/blob/master/pkg/controller/ingress-shim/sync.go#L94
https://github.com/jetstack/cert-manager/blob/master/pkg/controller/ingress-shim/sync.go#L159

Richard87 on 28 Aug 2019

Hm, so just to confirm, this was caused by the additional tls[] entry not having any hosts, despite the fact the first entry in this list does have hosts?

I'd guess that we can probably safely update the Certificate for the valid tls entries in this case, so this is in fact a bug that we can be better with.

Marking this as help wanted - we should be able to relax our validation here (and possibly update ingress-shim if required too 😄)

munnerz on 7 Sep 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

retest-bot on 6 Dec 2019

/remove-lifecycle stale

Richard87 on 6 Dec 2019

retest-bot on 5 Mar 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

retest-bot on 4 Apr 2020

This would be a good first issue for someone that wants to get involved 😄

/remove-lifecycle rotten

munnerz on 24 Apr 2020

/assign

irbekrm on 29 Jan 2021

🚀1 🎉1

There are three cases where we assume that Ingress is invalid - if any of the spec.tls.hosts or spec.tls.secretName fields are empty as well as if there is a duplicate spec.tls.secretName field.
I guess if we are relaxing the validation to allow an empty spec.tls.hosts field, we should do the same for an empty spec.tls.secretName. (Whilst a duplicate spec.tls.secretName should still invalidate the Ingress).