If you have nginx-ingress integrated with an application via the ingress-relation, and setup nginx-ingress with a tls certificate, then an ingress-relation-changed (even without data change) removes the tls cert k8s secret and sets nginx back to http. This seems to be because https://github.com/canonical/nginx-ingress-integrator-operator/blob/main/src/charm.py#L282 returns false even though the cert is present.
jhack fire nginx-ingress-integrator/0 ingress-relation-changed
curl https://yourhostname/health fails
instead of 9 you can also run juju config repo-policy-compliance github_token=foobar2 which will trigger an ingress_relation_changed with the same data.
Environment
Reproduced on multipass vm with juju 3.1.8
╭─ubuntu@repo-policy-nginx-error ~ [microk8s:repo-policy]
╰─$ juju status 130 ↵
Model Controller Cloud/Region Version SLA Timestamp
repo-policy microk8s microk8s/localhost 3.1.8 unsupported 13:14:59+02:00
App Version Status Scale Charm Channel Rev Address Exposed Message
httprequest-lego-k8s active 1 httprequest-lego-k8s edge 79 10.152.183.181 no
nginx-ingress-integrator 24.2.0 active 1 nginx-ingress-integrator edge 95 10.152.183.45 no Ingress IP(s): 127.0.0.1
postgresql-k8s 14.11 active 1 postgresql-k8s 14/edge 239 10.152.183.198 no Primary
repo-policy-compliance active 1 repo-policy-compliance edge 2 10.152.183.20 no
Unit Workload Agent Address Ports Message
httprequest-lego-k8s/0 active idle 10.1.67.143
nginx-ingress-integrator/0 active idle 10.1.67.148 Ingress IP(s): 127.0.0.1
postgresql-k8s/0 active idle 10.1.67.140 Primary
repo-policy-compliance/0 active idle 10.1.67.146
Relevant log output
unit-nginx-ingress-integrator-0: 12:55:43 DEBUG unit.nginx-ingress-integrator/0.juju-log Emitting Juju event ingress_relation_changed.
unit-nginx-ingress-integrator-0: 12:55:43 WARNING unit.nginx-ingress-integrator/0.juju-log 'app' expected but not received.
unit-nginx-ingress-integrator-0: 12:55:43 WARNING unit.nginx-ingress-integrator/0.juju-log 'app_name' expected in snapshot but not found.
unit-nginx-ingress-integrator-0: 12:55:44 WARNING unit.nginx-ingress-integrator/0.juju-log 'app' expected but not received.
unit-nginx-ingress-integrator-0: 12:55:44 WARNING unit.nginx-ingress-integrator/0.juju-log 'app_name' expected in snapshot but not found.
unit-nginx-ingress-integrator-0: 12:55:44 DEBUG unit.nginx-ingress-integrator/0.juju-log Emitting custom event <IngressPerAppDataProvidedEvent via NginxIngressCharm/IngressPerAppProvider[ingress]/on/data_provided[214]>.
unit-nginx-ingress-integrator-0: 12:55:44 WARNING unit.nginx-ingress-integrator/0.juju-log Certificate not yet available for github-runner-webhook-router.staging.canonical.com
unit-nginx-ingress-integrator-0: 12:55:44 INFO unit.nginx-ingress-integrator/0.juju-log service updated in namespace repo-policy with name relation-17-repo-policy-compliance-service
unit-nginx-ingress-integrator-0: 12:55:44 INFO unit.nginx-ingress-integrator/0.juju-log Using ingress class public as it is the cluster's default
unit-nginx-ingress-integrator-0: 12:55:44 INFO unit.nginx-ingress-integrator/0.juju-log ingress updated in namespace repo-policy with name relation-17-github-runner-webhook-router-staging-canonical-com-ingress
unit-nginx-ingress-integrator-0: 12:55:44 INFO unit.nginx-ingress-integrator/0.juju-log endpoint slice deleted in namespace repo-policy with name relation-17-repo-policy-compliance-service-c9xch
unit-nginx-ingress-integrator-0: 12:55:44 INFO unit.nginx-ingress-integrator/0.juju-log secret deleted in namespace repo-policy with name nginx-ingress-integrator-cert-tls-secret-github-runner-webhook-router.staging.canonical.com
unit-nginx-ingress-integrator-0: 12:55:44 DEBUG unit.nginx-ingress-integrator/0.juju-log The previous ingress-relation-changed was fired by jhack.
Bug Description
If you have nginx-ingress integrated with an application via the ingress-relation, and setup nginx-ingress with a tls certificate, then an ingress-relation-changed (even without data change) removes the tls cert k8s secret and sets nginx back to http. This seems to be because https://github.com/canonical/nginx-ingress-integrator-operator/blob/main/src/charm.py#L282 returns false even though the cert is present.
To Reproduce
juju deploy repo-policy-compliance --config charm_token=xy --config github_token=foobar
juju deploy postgresql-k8s --trust
juju integrate postgresql-k8s repo-policy-compliance
juju deploy nginx-ingress-integrator --trust --config service-hostname="yourhostname" --config path-routes="/" --channel edge --revision=95
juju deploy httprequest-lego-k8s --channel edge --revision 79 --config email="youremail" --config httpreq_endpoint="yourendpoint" --config httpreq_username=youruser --config httpreq_password="yourpassword"
juju integrate nginx-ingress-integrator repo-policy-compliance
juju integrate nginx-ingress-integrator httprequest-lego-k8s
curl https://yourhostname/health
succeedsjhack fire nginx-ingress-integrator/0 ingress-relation-changed
curl https://yourhostname/health
failsinstead of 9 you can also run
juju config repo-policy-compliance github_token=foobar2
which will trigger aningress_relation_changed
with the same data.Environment
Reproduced on multipass vm with juju 3.1.8 ╭─ubuntu@repo-policy-nginx-error ~ [microk8s:repo-policy] ╰─$ juju status 130 ↵ Model Controller Cloud/Region Version SLA Timestamp repo-policy microk8s microk8s/localhost 3.1.8 unsupported 13:14:59+02:00
App Version Status Scale Charm Channel Rev Address Exposed Message httprequest-lego-k8s active 1 httprequest-lego-k8s edge 79 10.152.183.181 no
nginx-ingress-integrator 24.2.0 active 1 nginx-ingress-integrator edge 95 10.152.183.45 no Ingress IP(s): 127.0.0.1 postgresql-k8s 14.11 active 1 postgresql-k8s 14/edge 239 10.152.183.198 no Primary repo-policy-compliance active 1 repo-policy-compliance edge 2 10.152.183.20 no
Unit Workload Agent Address Ports Message httprequest-lego-k8s/0 active idle 10.1.67.143
nginx-ingress-integrator/0 active idle 10.1.67.148 Ingress IP(s): 127.0.0.1 postgresql-k8s/0 active idle 10.1.67.140 Primary repo-policy-compliance/0 active idle 10.1.67.146
Relevant log output
Additional context
No response