cert-manager loop if an ingress with two hosts but twice the same secret is provided

Created on 23 Sep 2019  路  2Comments  路  Source: jetstack/cert-manager

Describe the bug:
cert-manager hang if an ingress with two hosts but twice the same secret is provided.
Example ingress:

spec:
  tls:
  - hosts:
    - endpoint1.test.com
    secretName: both-use-the-same
  - hosts:
    - endpoint2.test.com
    secretName: both-use-the-same

This will block the cert-manager instance handling this ingress with an infinite loop of:

I0920 14:00:15.759615       1 controller.go:168] ingress-shim controller: syncing item 'example/example-ingress'
I0920 14:00:15.759640       1 sync.go:140] Certificate "both-use-the-same" for ingress "example-ingress" already exists
I0920 14:00:15.759664       1 sync.go:140] Certificate "both-use-the-same" for ingress "example-ingress" already exists
I0920 14:00:15.759678       1 sync.go:143] Certificate "both-use-the-same" for ingress "example-ingress" is up to date
I0920 14:00:15.953745       1 controller.go:182] ingress-shim controller: Finished processing work item "example/example-ingress"

Expected behaviour:
One of the following:

  • Cert-manager refuses the ingress as it cannot handle it
  • Cert-manager creates a SAN Certificate instead and maybe a warning as this doesn't seems like a good practice (I guess it would fail again on several ingress with the same secret anyway so this might not be a good idea)
  • Cert-manager retries as it currently does but does not block the whole instance
  • Cert-manager fails just like it currently does but the problem is documented and it is a wontfix

Steps to reproduce the bug:
Push an ingress with this spec for tls:

spec:
  tls:
  - hosts:
    - endpoint1.test.com
    secretName: both-use-the-same
  - hosts:
    - endpoint2.test.com
    secretName: both-use-the-same

Anything else we need to know?:
I tried to find any issue with the same problem / documentation stating that this does not work but couldn't find anything.

Environment details::

  • Kubernetes version (e.g. v1.10.2): v1.15.3
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): ---
  • cert-manager version (e.g. v0.4.0): quay.io/jetstack/cert-manager-controller:v0.5.2
  • Install method (e.g. helm or static manifests): static manifests (via Kubespray addons)

/kind bug

kinbug
Source
picture Sayrus

All 2 comments

Hi there!

v0.5.2 is a very old version of cert-manager now - nearly a year. Would you be able to upgrade to the v0.10 and come back?

You can follow the docs here.

JoshVanL picture JoshVanL on 24 Sep 2019
👍1

Please re-open/open a new issue once you've tested this with 0.10 - we've had some changes recently that prevent this sort of thing causing an infinite loop 馃槃

munnerz picture munnerz on 25 Sep 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

munnerz picture munnerz  路  4Comments
apetheriotis picture apetheriotis  路  3Comments
Azylog picture Azylog  路  3Comments
howardjohn picture howardjohn  路  3Comments
kragniz picture kragniz  路  4Comments