Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

After deleting the tls secret, the file remains in the controller container. #4094

Closed
qw1mb0 opened this issue May 16, 2019 · 1 comment
Closed

Comments

@qw1mb0
Copy link

qw1mb0 commented May 16, 2019

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
No

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
pem, certificate, remove, stuck, delete, tls, secret


Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT

NGINX Ingress controller version: 0.20.0

Kubernetes version (use kubectl version): v1.10.10

Environment:

  • Cloud provider or hardware configuration: hardware
  • OS (e.g. from /etc/os-release): 16.04.5 LTS (Xenial Xerus)
  • Kernel (e.g. uname -a): Linux prod-kube-master 4.15.0-47-generic Ingress only exposes internal node ip #50~16.04.1-Ubuntu SMP Fri Mar 15 16:06:21 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:

What happened:
After remove tls section from ingress object. Pem file remains in the container. And prometheus metric nginx_ingress_controller_ssl_expire_time_seconds indicates that the certificate has expired. But no secret in kubernetes cluster.

What you expected to happen: After deleting the secret and deleting tls section from the ingress object, the file must also be removed from the container.

How to reproduce it (as minimally and precisely as possible):
Create a secret with a certificate and ingress that uses it:

# kubectl -n kube-system  get ing dashboard -o yaml --export
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/auth-realm: Authentication Required
    ingress.kubernetes.io/auth-secret: basic-auth
    ingress.kubernetes.io/auth-type: basic
    kubernetes.io/ingress.class: nginx
  creationTimestamp: null
  generation: 1
  labels:
    app: dashboard
  name: dashboard
  selfLink: /apis/extensions/v1beta1/namespaces/kube-system/ingresses/dashboard
spec:
  rules:
  - host: dashboard.kube.asidorov.name
    http:
      paths:
      - backend:
          serviceName: dashboard
          servicePort: 80
        path: /
  tls:
  - hosts:
    - dashboard.kube.asidorov.name
    secretName: ingress-tls


# kubectl -n kube-system  get secret ingress-tls
NAME          TYPE                DATA      AGE
ingress-tls   kubernetes.io/tls   2         1d

Remove the certificate and remove the tls section from the ingress:

# kubectl -n kube-system  delete secret ingress-tls
# kubectl -n kube-system  edit ingresses.extensions dashboard

Let's look at the files in the controller container:

www-data@kube-master:/etc/nginx$ ls -lah /etc/ingress-controller/ssl/kube-system*
-rw-r--r-- 1 www-data www-data  887 May 15 10:57 /etc/ingress-controller/ssl/kube-system-ingress-tls-full-chain.pem
-rw------- 1 www-data www-data 1.1K May 15 10:57 /etc/ingress-controller/ssl/kube-system-ingress-tls.pem

After deleting pod with controller:

www-data@kube-master:/etc/nginx$ ls -lah /etc/ingress-controller/ssl/kube-system*
ls: cannot access '/etc/ingress-controller/ssl/kube-system*': No such file or directory
@aledbf
Copy link
Member

aledbf commented May 16, 2019

Closing. Please update to 0.24.1. Since 0.24 there are no pem files in the container (#3808)

@aledbf aledbf closed this as completed May 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants