[octavia-ingress-controller] failure to use cert-manager + Let's Encrypt

[jouvin]

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind bug

/kind feature

What happened:

I have a K8s 1.28 cluster configured with the octaiva-ingress-controller v1.29.0. I'm trying to configure TLS using the cert-manager with the Let's Encrypt backend. I followed instructions at https://github.com/cert-manager/cert-manager and https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/octavia-ingress-controller/using-octavia-ingress-controller.md#enable-tls-encryption to configure a test web server with TLS enabled.

The certificate and private key are created as showed by kubectl describe certificate/secret. The challenges succeeds and every looks ok on the Let's Encrypt Side. But the ingress fails to start with the following events:

  Type     Reason             Age   From                          Message
  ----     ------             ----  ----                          -------
  Normal   Creating           39m   openstack-ingress-controller  Ingress default/test-octavia-ingress-controller
  Normal   CreateCertificate  39m   cert-manager-ingress-shim     Successfully created Certificate "letsencrypt-staging"
  Warning  Failed             38m   openstack-ingress-controller  Failed to create openstack resources for ingress default/test-octavia-ingress-controller: failed to create Barbican secret: secrets "letsencrypt-staging" not found

What you expected to happen:

I expected the ingress to be able to use the created certificate and to start successfully! The same ingress configuration works if a "static certificate" (not managed by cert-manager) is used.

I suspect it is because the secret created by cert-manager has a suffix (letsencrypt-staging-mfzml instead of letsencrypt-staging).

How to reproduce it:

Configure cert-manager and the the ingress service according to the mentioned documentation.

Anything else we need to know?:

I attach:

• the YAML file I used to configure Ingress and test service (ommitting the account config, which works as mentioned above).
• kubectl describe certificate output
• kubectl describe ingressoutput

Environment:

• openstack-cloud-controller-manager(or other related binary) version: 1.28
• OpenStack version: Antelope
• Others:

[jichenjc]

I suspect it is because the secret created by cert-manager has a suffix (letsencrypt-staging-mfzml instead of letsencrypt-staging).

I didn't use let's encrypt before, did you have chance to try the suffix and no suffix case to confirm this error?

[jouvin]

Sorry for the late follow-up after the summer break... I'm still fighting with this problem.

@jichenjc you mentioned suffix and no_suffix but I was not able to find any documentation about them? How do you do that? I suspect it is a label or an annotation in the YAML file but no sure what the exact syntax...

I troubleshooted more the problem and the presence of the suffix is because the secret is created with a temporary name until the challenge has succeeded. But because of this temporary name (with a suffix), the ingress fails to be created because of Barbican error not finding the secret to copy... A chick&egg problem. I found in https://devops.stackexchange.com/questions/19425/error-configuring-tls-error-secret-xxx-does-not-exist/19426#19426 the suggestion to add the following line but it has not worked yet...

acme.cert-manager.io/http01-edit-in-place: "true"  # Remove secret suffix according to

Has somebody succeeded to get Let's Encrypt working with the Octavia Ingress controller?