HAProxy looking for secret for default namespace

haproxytech / kubernetes-ingress

HAProxy Kubernetes Ingress Controller

https://www.haproxy.com/documentation/kubernetes/

Apache License 2.0

719 stars 202 forks source link

HAProxy looking for secret for default namespace #313

Closed brianrudolf-ep closed 3 years ago

brianrudolf-ep commented 3 years ago

I have HAProxy Kubernetes Ingress installed and am regularly seeing this warning message crop up.

| kubernetes-ingress | 2021/05/05 13:30:20 WARNING haproxy/certificates.go:63 secret 'default/' does not exist

I don't set a --namespace-whitelist, which is my closest guess to something that may be related. I use a wildcard certificate for all my ingresses which is created by Cert-Manager and set in the HAProxy Helm chart values by :

  defaultTLSSecret:
    enabled: true
    secretNamespace: "${cert_namespace}"
    secret: "${cert_secret}"

Software	Version
HAProxy Helm Chart	1.14.2
HAProxy Ingress	1.6
AWS EKS	1.18

Ingress definition: HAProxy-ingress.txt Note I am transitioning from the community ingress controller to the haproxytech version, hence the seemingly duplicate annotations.

ivanmatmati commented 3 years ago

Hi brianrudolf-ep,

The reason why you get this warning is quite simple. The TLS section in your Ingress definition doesn't contain a secret (namespace/name). By default, we try to find a secret with the provided values and use ingress namespace as default value if necessary. The issued warning indicates that search of secret with default value in namespace and empty name did not succceed. You can ignore this warning. Can you explain exactly what you tried to do with the TLS section and default secret to be sure all is working as you expected ?

brianrudolf-ep commented 3 years ago

Thank you @ivanmatmati for the reply. I have a wildcard cert setup separately for *.example.com, and only specify the hosts under the TLS section because I've set the default certificate for the ingress controller. It was my understanding because the host on the controller's default certificate matches the host(s) on my Ingress definition that should be the only requirement.

I can specify the secret location (namespace/name) on the Ingress definitions, but that seems almost redundant if the controller has a valid default certificate. Unless I'm missing something.

ivanmatmati commented 3 years ago

Hi, Your configuration would work perfectly then. But you could also simplify it by discarding the TLS section from Ingress definition. You would obtain the same behavior.

brianrudolf-ep commented 3 years ago

I'll try out that change! It would nice to silence the warning message. Thank you for the clarity.

thriqon commented 1 year ago

Hi, Your configuration would work perfectly then. But you could also simplify it by discarding the TLS section from Ingress definition. You would obtain the same behavior.

Forgive me if I'm wrong, but isn't there a subtle difference when asking via HTTP? AFAICS, https://github.com/haproxytech/kubernetes-ingress/blob/master/pkg/annotations/ingress/httpsRedirect.go#L42 will only synthesize HTTPS redirects when a TLS stanza is present OR the annotation is provided.

In my opinion, having an empty secret name is a perfectly valid way to express mandatory TLS without specifying the secret. I'd be in favor of removing the warning from the logs if the name is empty (as such a secret can never exist in Kubernetes).