[Bug]: "Ingress uses the secret radio/ as a TLS certificate which does not exist."

[rwlove]

Checklist

• [X] I've searched for similar issues and couldn't find anything matching
• [X] I've included steps to reproduce the behavior

Affected Components

• [ ] K8sGPT (CLI)
• [X] K8sGPT Operator

K8sGPT Version

0.1.3

Kubernetes Version

v1.29.2

Host OS and its Version

CentOS / upstream K8S

Steps to reproduce

K8sGPT Operator, LocalAI backend.

---
apiVersion: core.k8sgpt.ai/v1alpha1
kind: K8sGPT
metadata:
  name: k8sgpt-local-ai
  namespace: ai
spec:
  ai:
    backend: localai
    baseUrl: http://localai-local-ai.ai.svc.cluster.local:80/v1                                                                                                                                               
    model: ggml-gpt4all-j
    secret:
      name: localai-api-key-secret
      key: localai-api-key
  noCache: false
  version: v0.3.29

➜  home-ops git:(main) ✗ kubectl -n ai get results -o json | jq . | grep "uses the secret"
            "text": "Ingress uses the secret ai/ as a TLS certificate which does not exist."
            "text": "Ingress uses the secret ai/ as a TLS certificate which does not exist."
            "text": "Ingress uses the secret ai/ as a TLS certificate which does not exist."
            "text": "Ingress uses the secret auth/ as a TLS certificate which does not exist."
            "text": "Ingress uses the secret auth/ as a TLS certificate which does not exist."
            "text": "Ingress uses the secret collab/ as a TLS certificate which does not exist."

Expected behaviour

No reported issues with Ingresses.

Actual behaviour

Failures with most, if not all, ingresses.

K8sGPT tells me that many of my ingresses are using an invalid TLS. Everything is working and I can access my services through the ingress without any problems, but I'm trying to cleanup these errors - everything looks fine to me.

      main:
        className: internal
        hosts:
          - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
        paths:
              - path: /
                service:
                  identifier: main
                  port: *httpPort
        tls:
          - hosts:
              - *host

In my ingress-nginx definition.

      extraArgs:
        default-ssl-certificate: |-
          network/${SECRET_DOMAIN/./-}-tls

and

➜  home-ops git:(main) ✗ kubectl -n radio describe ingress snapserver
Name:             snapserver
Namespace:        radio
Address:          10.45.0.1
Ingress Class:    internal
Default backend:  <default>
TLS:
  SNI routes snapserver.foo.com
Rules:
  Host                           Path  Backends
  ----                           ----  --------
  snapserver.foo.com  
                                 /   snapserver:80 (10.42.6.65:1780)
Annotations:                     hajimari.io/appName: Speaker Selection
                                 hajimari.io/enable: true
                                 hajimari.io/group: Radio
                                 hajimari.io/icon: mdi:radio
                                 hajimari.io/instance: user,admin
                                 meta.helm.sh/release-name: snapserver
                                 meta.helm.sh/release-namespace: radio
Events:                          <none>

kubectl -n radio edit ingress snapserver

# Please edit the object below. Lines beginning with a '#' will be ignored,                                                                                                   
# and an empty file will abort the edit. If an error occurs while saving this file will be                                                                                    
# reopened with the relevant failures.                                                                                                                                        
#                                                                                                                                                                             
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    hajimari.io/appName: Speaker Selection
    hajimari.io/enable: "true"
    hajimari.io/group: Radio
    hajimari.io/icon: mdi:radio
    hajimari.io/instance: user,admin
    meta.helm.sh/release-name: snapserver
    meta.helm.sh/release-namespace: radio
  creationTimestamp: "2024-03-31T15:32:40Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: snapserver
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: snapserver
    helm.sh/chart: app-template-3.1.0
    helm.toolkit.fluxcd.io/name: snapserver
    helm.toolkit.fluxcd.io/namespace: radio
  name: snapserver
  namespace: radio
  resourceVersion: "28636434"
  uid: be8ee7d2-0f44-4542-864b-fc773e09ca7c
spec:
  ingressClassName: internal
  rules:
  - host: snapserver.foo.com
    http:
      paths:
      - backend:
          service:
            name: snapserver
            port:
              number: 80
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - snapserver.foo.com
status:
  loadBalancer:
    ingress:
    - ip: 10.45.0.1

Additional Information

As far as I can tell there is no spec.tls.secretName, for my ingresses, so the failure is a false positive.

[rwlove]

This code assumes there is a tls.SecretName, my individual ingresses don't have a SecretName because they use the default TLS secret provided by ingress-nginx. I think there should be a NULL pointer check and break statement here, but I'm not proficient in Go.

                for _, tls := range ing.Spec.TLS {
                        _, err := a.Client.GetClient().CoreV1().Secrets(ing.Namespace).Get(a.Context, tls.SecretName, metav1.GetOptions{})
                        if err != nil {
                                doc := apiDoc.GetApiDocV2("spec.tls.secretName")

                failures = append(failures, common.Failure{
                                        Text:          fmt.Sprintf("Ingress uses the secret %s/%s as a TLS certificate which does not exist.", ing.Namespace, tls.SecretName)\
,