SSL flaky on NGINX Ingress Controller (0.9.0-beta8)

[cguethle]

I haven't diagnosed this fully, but I'm seeing issues with kube-lego 1.4 correctly setting up the ingress on 0.9.0-beta8. It feels like it is close to working, but requires a restart of the nginx-ingress-controller pod after deploying a new ingress with the appropriate tls/etc specified. Prior on 1.3+0.8.3, everything worked as expected (no restart necessary).

Has there been any 1.4 validation on 0.9.0 yet? Not complaining, just curious. :)

I will post more details if I can figure them out, but kube-lego + nginx-ingress-controller is magic to me, so will see.

[munnerz]

This sounds like a problem with the new implementation of nginx-ingress not automatically reloading it's config upon secret changes.

kube-lego itself does not inform nginx-ingress to reload directly, it simply updates the TLS secret object. It's then the responsibility of the ingress controller to trigger a reload of it's own config in a timely manner.

With regards validation the two, not as far as I'm aware. There's definitely not tests for it within the kube-lego repository yet at least.

I'm going to close this issue for now, as the comments in the corresponding issue on the nginx repository seem to show that the secret itself is being created successfully, which is the extent of kube-lego's responsibility. Feel free to open if you think I've been hasty with that conclusion!

[aledbf]

@cguethle I cannot reproduce this with kube-lego 0.1.5 and nginx-ingress-controller 0.9-beta.10.

Please keep in mind that after kube-lego generates the certificate and the new secret is detected in the ingress controller it can take up to 10 seconds to reload the ingress controller.

[cguethle]

I will update tomorrow and test my setup.

[juliohm1978]

We have a new installation here. Fresh pods, new cert successfully issued. But nginx-ingress-controller:0.9-beta.10 continues to ignore and does not reload.

Can someone, please reopen the issue?