skip to Main Content

There were a namespace "sandbox" on the node which was deleted, but there is still a challenge for a certificate "echo-tls".
But i can not access anymore sandbox namespace to delete this cert.
Could anyone help me deleting this resource ?

Here are the logs of the cert-manager :

Found status change for Certificate "echo-tls" condition "Ready": "True" -> "False"; setting lastTransitionTime to...

cert-manager/controller/CertificateReadiness "msg"="re-queuing item due to error processing" "error"="Operation cannot be fulfilled on certificates.cert-manager.io "echo-tls": StorageError: invalid object, Code: 4, Key: /cert-manager.io/certificates/sandbox/echo-tls, ResourceVersion: 0, AdditionalErrorMsg: Precondition failed: UID in precondition: ..., UID in object meta: " "key"="sandbox/echo-tls"

After restarting the pod cert-manager here are the logs :

cert-manager/controller/certificaterequests/handleOwnedResource "msg"="error getting referenced owning resource" "error"="certificaterequest.cert-manager.io "echo-tls-bkmm8" not found" "related_resource_kind"="CertificateRequest" "related_resource_name"="echo-tls-bkmm8" "related_resource_namespace"="sandbox" "resource_kind"="Order" "resource_name"="echo-tls-bkmm8-1177139468" "resource_namespace"="sandbox" "resource_version"="v1"

cert-manager/controller/orders "msg"="re-queuing item due to error processing" "error"="ACME client for issuer not initialised/available" "key"="sandbox/echo-tls-dwpt4-1177139468"

And then the same logs as before

The issuer :

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: ***
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress: {}

The configs for deployment :

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: <APP_NAME>
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.class: nginx-<ENV>
    acme.cert-manager.io/http01-ingress-class: nginx-<ENV>
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
  tls:
  - hosts:
    - ***.fr
    secretName: <APP_NAME>-tls
  rules:
  - host: ***.fr
    http:
      paths:
      - backend:
          serviceName: <APP_NAME>
          servicePort: 80
.k8s_config: &k8s_config
  before_script:
    - export HOME=/tmp
    - export K8S_NAMESPACE="${APP_NAME}"
    - kubectl config set-cluster k8s --server="${K8S_SERVER}"
    - kubectl config set clusters.k8s.certificate-authority-data ${K8S_CA_DATA}
    - kubectl config set-credentials default --token="${K8S_USER_TOKEN}"
    - kubectl config set-context default --cluster=k8s --user=default --namespace=default
    - kubectl config set-context ${K8S_NAMESPACE} --cluster=k8s --user=default --namespace=${K8S_NAMESPACE}
    - kubectl config use-context default
    - if [ -z `kubectl get namespace ${K8S_NAMESPACE} --no-headers --output=go-template={{.metadata.name}} 2>/dev/null` ]; then kubectl create namespace ${K8S_NAMESPACE}; fi
    - if [ -z `kubectl --namespace=${K8S_NAMESPACE} get secret *** --no-headers --output=go-template={{.metadata.name}} 2>/dev/null` ]; then kubectl get secret *** --output yaml | sed "s/namespace: default/namespace: ${K8S_NAMESPACE}/" | kubectl create -f - ; fi
    - kubectl config use-context ${K8S_NAMESPACE}

2

Answers


  1. Chosen as BEST ANSWER

    Finally this sunday the cert-manger has stop challenges on the old tls without any other action.


    1. Usually certificates are stored inside Kubernete secrets: https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets. You can retrieve secrets using kubectl get secrets --all-namespaces. You can also check which secrets are used by a given pod by checking its yaml description: kubectl get pods -n <pod-namespace> -o yaml (additional informations: https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod)
    2. A namespace is cluster-wide, it is not located on any node. So deleting a node does not delete any namespace.
    3. If above tracks does not fit your need, could you please provide some yaml files and some command-line instructions which would allow reproducing the problem?
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search