Ingress controller cannot read the secret

6/1/2019

I get the following error in the nginx ingress pod log:

E0601 04:15:05.883895 11 annotations.go:188] error reading CertificateAuth annotation in Ingress val33-idx/dev-20190601t0309-index-data-ingress: error obtaining certificate: local SSL certificate val33-idx/dev-20190601t0309-index-data-ingress-secrets was not found

Below are the objects from the cluster (with kubectl get --namespace val33-idx -o yaml ...) The ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx-publisher
    nginx.ingress.kubernetes.io/auth-tls-secret: val33-idx/dev-20190601t0309-index-data-ingress-secrets
    nginx.ingress.kubernetes.io/auth-tls-verify-client: optional_no_ca
    nginx.ingress.kubernetes.io/limit-connections: "10"
    nginx.ingress.kubernetes.io/limit-rps: "200"
    nginx.ingress.kubernetes.io/proxy-body-size: 50m
    nginx.ingress.kubernetes.io/proxy-connect-timeout: 20s
    nginx.ingress.kubernetes.io/proxy-read-timeout: 120s
    nginx.ingress.kubernetes.io/proxy-send-timeout: 60s
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/ssl-ciphers: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  creationTimestamp: 2019-06-01T03:09:10Z
  generation: 4
  labels:
    app: index-data-publisher
    app.kubernetes.io/component: index-data-ingress
    app.kubernetes.io/instance: dev-20190601t0309
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: index-data-publisher
    app.kubernetes.io/part-of: index-data
    app.kubernetes.io/version: 0.6.0-0.1
    business-line: data-management
    env: dev
    helm.sh/chart: index-data-2.0.0
    index-data-component: publisher
  name: dev-20190601t0309-index-data-ingress
  namespace: val33-idx
  resourceVersion: "2532272"
  selfLink: /apis/extensions/v1beta1/namespaces/val33-idx/ingresses/dev-20190601t0309-index-data-ingress
  uid: a0867cb3-841a-11e9-a2af-0ed5588f57fc
spec:
  rules:
  - host: val33-idx.idx-data-dev.symdev.us
    http:
      paths:
      - backend:
          serviceName: dev-20190601t0309-index-data-publisher-service
          servicePort: 3000
        path: /publisher/(.+)
  tls:
  - hosts:
    - val33-idx.idx-data-dev.symdev.us
    secretName: val33-idx/dev-20190601t0309-index-data-ingress-secrets

The secret:

apiVersion: v1
data:
  ca.crt: Ii0tLS0tQkV...
  dhparam.pem: Ii0tLS0tQkVH...
  tls.crt: Ii0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLVxuTUlJRGZ6Q0NBbWVnQ...
  tls.key: Ii0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLVxuTUlJRXZRSUJBRE...
kind: Secret
metadata:
  creationTimestamp: 2019-06-01T03:09:10Z
  labels:
    app: index-data-publisher
    app.kubernetes.io/component: index-data-ingress-secrets
    app.kubernetes.io/instance: dev-20190601t0309
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: index-data-publisher
    app.kubernetes.io/part-of: index-data
    app.kubernetes.io/version: 0.6.0-0.1
    business-line: data-management
    env: dev
    helm.sh/chart: index-data-2.0.0
    index-data-component: publisher
  name: dev-20190601t0309-index-data-ingress-secrets
  namespace: val33-idx
  resourceVersion: "2526472"
  selfLink: /api/v1/namespaces/val33-idx/secrets/dev-20190601t0309-index-data-ingress-secrets
  uid: a066a3a0-841a-11e9-a2af-0ed5588f57fc
type: kubernetes.io/tls

And the deployment of the ingress controller:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "4"
  creationTimestamp: 2019-06-01T03:09:10Z
  generation: 4
  labels:
    app: index-data-publisher
    app.kubernetes.io/component: index-data-ingress
    app.kubernetes.io/instance: dev-20190601t0309
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: index-data-publisher
    app.kubernetes.io/part-of: index-data
    app.kubernetes.io/version: 0.6.0-0.1
    business-line: data-management
    env: dev
    helm.sh/chart: index-data-2.0.0
    index-data-component: publisher
  name: dev-20190601t0309-index-data-ingress
  namespace: val33-idx
  resourceVersion: "2532354"
  selfLink: /apis/extensions/v1beta1/namespaces/val33-idx/deployments/dev-20190601t0309-index-data-ingress
  uid: a081af59-841a-11e9-a2af-0ed5588f57fc
spec:
  progressDeadlineSeconds: 2147483647
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: index-data-publisher
      app.kubernetes.io/component: index-data-ingress-pod
      app.kubernetes.io/instance: dev-20190601t0309
      app.kubernetes.io/managed-by: Tiller
      app.kubernetes.io/name: index-data-publisher
      app.kubernetes.io/part-of: index-data
      app.kubernetes.io/version: 0.6.0-0.1
      business-line: data-management
      env: dev
      helm.sh/chart: index-data-2.0.0
      index-data-component: publisher
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      annotations:
        checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
      creationTimestamp: null
      labels:
        app: index-data-publisher
        app.kubernetes.io/component: index-data-ingress-pod
        app.kubernetes.io/instance: dev-20190601t0309
        app.kubernetes.io/managed-by: Tiller
        app.kubernetes.io/name: index-data-publisher
        app.kubernetes.io/part-of: index-data
        app.kubernetes.io/version: 0.6.0-0.1
        business-line: data-management
        env: dev
        helm.sh/chart: index-data-2.0.0
        index-data-component: publisher
      name: dev-20190601t0309-index-data-ingress-pod
    spec:
      containers:
      - args:
        - /nginx-ingress-controller
        - --default-backend-service=val33-idx/dev-20190601t0309-index-data-default-backend-service
        - --configmap=val33-idx/dev-20190601t0309-index-data-ingress-config
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx-publisher
        - --watch-namespace=val33-idx
        - --v=5
        env:
        - name: POD_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.name
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: dev-20190601t0309-index-data-nginx
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 443
          name: https
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 10254
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        securityContext:
          capabilities:
            add:
            - NET_BIND_SERVICE
            drop:
            - ALL
          runAsUser: 33
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: dev-20190601t0309-index-data-ingress-account
      serviceAccountName: dev-20190601t0309-index-data-ingress-account
      terminationGracePeriodSeconds: 60

Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: 2019-06-01T05:04:11Z
  labels:
    app: index-data-publisher
    app.kubernetes.io/component: index-data-ingress-role
    app.kubernetes.io/instance: dev-20190601t0504
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: index-data-publisher
    app.kubernetes.io/part-of: index-data
    app.kubernetes.io/version: 0.6.0-0.1
    business-line: data-management
    env: dev
    helm.sh/chart: index-data-2.0.0
    index-data-component: publisher
  name: dev-20190601t0504-index-data-ingress-role
  namespace: val33-idx
  resourceVersion: "2536605"
  selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/val33-idx/roles/dev-20190601t0504-index-data-ingress-role
  uid: b1a3e5eb-842a-11e9-a2af-0ed5588f57fc
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - configmaps
  - pods
  - secrets
  - endpoints
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
  - update
  - watch
- apiGroups:
  - extensions
  resources:
  - ingresses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - ingresses/status
  verbs:
  - update
- apiGroups:
  - ""
  resourceNames:
  - ingress-controller-leader-nginx-publisher
  resources:
  - configmaps
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - create
  - get
  - update
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - patch

ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: 2019-06-01T05:04:11Z
  labels:
    app: index-data-publisher
    app.kubernetes.io/component: index-data-ingress-cluster-role
    app.kubernetes.io/instance: dev-20190601t0504
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: index-data-publisher
    app.kubernetes.io/part-of: index-data
    app.kubernetes.io/version: 0.6.0-0.1
    business-line: data-management
    env: dev
    helm.sh/chart: index-data-2.0.0
    index-data-component: publisher
  name: dev-20190601t0504-index-data-ingress-cluster-role
  resourceVersion: "2536599"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/dev-20190601t0504-index-data-ingress-cluster-role
  uid: b1a061f9-842a-11e9-a2af-0ed5588f57fc
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
  - list
  - watch

What am I doing wrong here? Please, help.

-- Valo
kubernetes
kubernetes-ingress
kubernetes-secrets
nginx-ingress
tls1.2

0 Answers