ClusterIssuer not responding to ingress annotations

yeyep commented 2 years ago

Hi guys,

we have successfully installed GCA Issuer in our cluster. We followed the instructions in the readme. We have already verified the installation by manually deploying a Certificate Manifest in our GKE. A CertificateRequest was then created and the certificate is also visible in the GCP.

Our cluster issuer:

apiVersion: cas-issuer.jetstack.io/v1beta1
kind: GoogleCASClusterIssuer
metadata:
  name: google-cas-issuer
spec:
  project: XXXXXX
  location: europe-west4
  caPoolId: XXXXX
  credentials:
    name: "googlesa"
    key: "credentials.json"

Deployment:

resource "kubernetes_deployment" "deployment_google_cas_issuer" {
  metadata {
    name      = "google-cas-issuer"
    namespace = kubernetes_namespace.certmanager.metadata.0.name
    labels = {
      app = "google-cas-issuer"
    }
  }

  spec {
    replicas = 1
    selector {
      match_labels = {
        app = "google-cas-issuer"
      }
    }

    template {
      metadata {
        labels = {
          app = "google-cas-issuer"
        }
      }

      spec {
        service_account_name             = kubernetes_service_account.ksa_google_cas_issuer.metadata[0].name
        termination_grace_period_seconds = 10
        container {
          image   = "quay.io/jetstack/cert-manager-google-cas-issuer:latest"
          name    = "google-cas-issuer"
          args    = ["--enable-leader-election", "--zap-devel=true"]
          command = ["/google-cas-issuer"]

          resources {
            limits = {
              cpu    = "100m"
              memory = "100Mi"
            }
            requests = {
              cpu    = "100m"
              memory = "20Mi"
            }
          }
        }
      }
    }
  }
}

This issuer works without problems when manually deploying a Certificate Resource, no matter in which namespace.

In the next step, we wanted to use the Issuer in our Ingress manifests. To do this, we added the following annotations:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: iti-c-kirby-playground
  namespace: iti-c-kirby-playground
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 64m
    cert-manager.io/cluster-issuer: google-cas-issuer
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - hosts:
        - DOMAIN
      secretName: domain-tls
  rules:
  - host: DOMAIN
    http:
      paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: iti-c-kirby-playground
              port:
                number: 80

When we deploy this Ingress configuration, then we get the following error message within our CertificateRequest:

IssuerNotFound ...

After some research, we found the following issue (#43 ) and added the two suggested annotations to our Ingress:

    cert-manager.io/issuer-kind: GoogleCASClusterIssuer
    cert-manager.io/issuer-group: cas-issuer.jetstack.io

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: iti-c-kirby-playground
  namespace: iti-c-kirby-playground
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 64m
    cert-manager.io/cluster-issuer: google-cas-issuer
    cert-manager.io/issuer-kind: GoogleCASClusterIssuer
    cert-manager.io/issuer-group: cas-issuer.jetstack.io
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
    - hosts:
        - DOMAIN
      secretName: domain-tls
  rules:
  - host: DOMAIN
    http:
      paths:
        - pathType: Prefix
          path: "/"
          backend:
            service:
              name: iti-c-kirby-playground
              port:
                number: 80

If we deploy this Ingress Resource, then nothing happens. The cert manager does not create a certificate resource and also in the logs this part is completely skipped and there are no entries. As if this ingress resource does not exist or has no annotations at all.

What are we doing wrong or what configuration are we missing?

Thanks for your help.

Greetings, Daniel

JoshVanL commented 2 years ago

Hi @yeyep, rather than using:

    cert-manager.io/cluster-issuer: google-cas-issuer
    cert-manager.io/issuer-kind: GoogleCASClusterIssuer
    cert-manager.io/issuer-group: cas-issuer.jetstack.io

you need to use:

    cert-manager.io/issuer-kind: google-cas-issuer
    cert-manager.io/issuer-kind: GoogleCASClusterIssuer
    cert-manager.io/issuer-group: cas-issuer.jetstack.io

mikejoseph-ah commented 2 years ago

I am experiencing the same issue, did you managed to get a fix?

Is it possible for the Ingress resource to create a Certificate resource through annotations? Edit: yes it can: https://cert-manager.io/docs/usage/ingress/

mukesh-mohanan-db commented 2 years ago

I am experiencing the same issue, did you managed to get a fix?

Is it possible for the Ingress resource to create a Certificate resource through annotations? Edit: yes it can: https://cert-manager.io/docs/usage/ingress/

if you use v´below it work

cert-manager.io/issuer: googlecasclusterissuer-sample # issuer name 
cert-manager.io/issuer-group: cas-issuer.jetstack.io
cert-manager.io/issuer-kind: GoogleCASClusterIssuer # reference to the issuer we deployed in the cluster

bvoogel commented 1 year ago

I am experiencing the same issue, did you managed to get a fix? Is it possible for the Ingress resource to create a Certificate resource through annotations? Edit: yes it can: https://cert-manager.io/docs/usage/ingress/

if you use v´below it work
cert-manager.io/issuer: googlecasclusterissuer-sample # issuer name 
cert-manager.io/issuer-group: cas-issuer.jetstack.io
cert-manager.io/issuer-kind: GoogleCASClusterIssuer # reference to the issuer we deployed in the cluster

This did not work for me. Is there a fix for this yet? We are using a GoogleCASClusterIssuer. Adding these annotation all three together cause the ingress deployment to fail

cert-manager / google-cas-issuer

ClusterIssuer not responding to ingress annotations #66