Giter Site home page Giter Site logo

shared cert seemingly removed about router HOT 1 CLOSED

deis avatar deis commented on August 22, 2024
shared cert seemingly removed

from router.

Comments (1)

krancour avatar krancour commented on August 22, 2024

@vdice nice catch. I've put this to the test and have been able to reproduce... however, I believe this is actually a controller bug.

two domains are added to an app, domainA and domainB
a previously added cert is attached to both domains

Manually putting this to the test, at this stage, the service for such an application contains the following relevant annotations:

metadata:
  annotations:
    router.deis.io/certificates: domain-a.foo.com:foo-wildcard,domain-b.foo.com:foo-wildcard
    router.deis.io/domains: timely-odometer,domain-a.foo.com,domain-b.foo.com

And the certificate in question is visible in the app's namespace:

$ kubectl get secrets --namespace=timely-odometer
NAME                  TYPE                                  DATA      AGE
default-token-ja4wo   kubernetes.io/service-account-token   2         53m
foo-wildcard-cert     Opaque                                2         21s
minio-user            Opaque

the cert is detached from only domainA

After detachment of the foo-wildcard certificate from domain-b.foo.com, the annotations on the service appear correct:

metadata:
  annotations:
    router.deis.io/certificates: domain-b.foo.com:foo-wildcard
    router.deis.io/domains: timely-odometer,domain-a.foo.com,domain-b.foo.com

The problem, however, is that the secret that contains the cert has disappeared:

$ kubectl get secrets --namespace=timely-odometer
NAME                  TYPE                                  DATA      AGE
default-token-ja4wo   kubernetes.io/service-account-token   2         58m
minio-user            Opaque                                2         58m

I would theorize that in the controller, the detachment is removing the secret from the namespace without regard for whether the cert contained within might also be attached to other domains of the same app (therefore in the same namespace).

I will open a separate issue against the controller and reference this one. This issue has also brought to light that the router isn't logging any sort of warning when a secret containing a cert that is expected to exist is not found. I will close this and open a separate issue for that.

from router.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.