[I] bug: gateway (gateway.networking.k8s.io/v1beta1) does not create the TLS entry [apisix-ingress-controller]

Tue, 12 Dec 2023 01:56:15 -0800 


gigi206 opened a new issue, #2098:
URL: https://github.com/apache/apisix-ingress-controller/issues/2098

   ### Current Behavior
   
   ```yaml
   apiVersion: gateway.networking.k8s.io/v1beta1
   kind: Gateway
   metadata:
     name: httpbin-gateway
     namespace: demo
     annotations:
       cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
   spec:
     gatewayClassName: apisix
     listeners:
     - name: http
       protocol: HTTP
       port: 80
       allowedRoutes:
         namespaces:
           from: Same
     - protocol: HTTPS
       name: https
       port: 443
       hostname: httpbin.gigix
       tls:
         mode: Terminate
         certificateRefs:
           - name: httpbin-tls
             kind: Secret
             group: core
       allowedRoutes:
         namespaces:
           from: Same
   ---
   apiVersion: gateway.networking.k8s.io/v1beta1
   kind: HTTPRoute
   metadata:
     name: httpbin-route
     namespace: demo
   spec:
     hostnames:
     - httpbin.gigix
     parentRefs:
     - name: httpbin-gateway
       namespace: demo
     rules:
     - matches:
       - path:
           type: PathPrefix
           value: /
       backendRefs:
       - name: httpbin
         port: 8000
   ```
   
   ```shell
   kubectl get certificate -n demo httpbin-tls 
   NAME          READY   SECRET        AGE
   httpbin-tls   True    httpbin-tls   130m
   ```
   
   ```shell
   kubectl get secrets -n demo httpbin-tls 
   NAME          TYPE                DATA   AGE
   httpbin-tls   kubernetes.io/tls   3      24h
   ```
   
   Curl failed because no **httpbin.gigix** doesn't exist in SSL List in the 
admin page:
   ```shell
   $ curl -Ik https://httpbin.gigix
   curl: (35) OpenSSL/3.0.8: error:0A000438:SSL routines::tlsv1 alert internal 
error
   ```
   
   For it works I need to create the associated `ApisixTls`:
   ```yaml
   apiVersion: apisix.apache.org/v2
   kind: ApisixTls
   metadata:
     name: httpbin-tls
     namespace: demo
   spec:
     hosts:
     - httpbin.gigix
     secret:
       name: httpbin-cert-tls
       namespace: demo
   ```
   
   ```shell
   $ curl -Ik https://httpbin.gigix 
   HTTP/2 200 
   content-type: text/html; charset=utf-8
   content-length: 9593
   date: Sun, 05 Nov 2023 22:51:02 GMT
   access-control-allow-origin: *
   access-control-allow-credentials: true
   server: APISIX/3.6.0
   ```
   
   Why the Gateway does not create the associated SSL entry ? Note that the 
kubernetes `Ingress` does
   
   ### Expected Behavior
   
   **httpbin.gigix** must appears in the admin page SSL List
   
   ### Error Logs
   
   _No response_
   
   ### Steps to Reproduce
   
   Install cert-manager and install:
   ```yaml
   apiVersion: v1
   kind: Namespace
   metadata:
     labels:
       kubernetes.io/metadata.name: demo
     name: demo
   spec:
     finalizers:
     - kubernetes
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: httpbin
     namespace: demo
     labels:
       app: httpbin
       service: httpbin
   spec:
     ports:
     - name: http
       port: 8000
       targetPort: 80
     selector:
       app: httpbin
   ---
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: httpbin
     namespace: demo
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: httpbin
         version: v1
     template:
       metadata:
         labels:
           app: httpbin
           version: v1
       spec:
         containers:
         - image: docker.io/kong/httpbin
           imagePullPolicy: IfNotPresent
           name: httpbin
           ports:
           - containerPort: 80
   ---
   apiVersion: gateway.networking.k8s.io/v1beta1
   kind: Gateway
   metadata:
     name: httpbin-gateway
     namespace: demo
     annotations:
       cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
   spec:
     gatewayClassName: apisix
     listeners:
     - name: http
       protocol: HTTP
       port: 80
       allowedRoutes:
         namespaces:
           from: Same
     - protocol: HTTPS
       name: https
       port: 443
       hostname: httpbin.gigix
       tls:
         mode: Terminate
         certificateRefs:
           - name: httpbin-tls
             kind: Secret
             group: core
       allowedRoutes:
         namespaces:
           from: Same
   ---
   apiVersion: gateway.networking.k8s.io/v1beta1
   kind: HTTPRoute
   metadata:
     name: httpbin-route
     namespace: demo
   spec:
     hostnames:
     - httpbin.gigix
     parentRefs:
     - name: httpbin-gateway
       namespace: demo
     rules:
     - matches:
       - path:
           type: PathPrefix
           value: /
       backendRefs:
       - name: httpbin
         port: 8000
   ```
   
   ### Environment
   
   ```shell
   $ kubectl version --short
   Flag --short has been deprecated, and will be removed in the future. The 
--short output will become the default.
   Client Version: v1.25.13+rke2r1
   Kustomize Version: v4.5.7
   Server Version: v1.25.13+rke2r1
   
   $ hostnamectl 
    Static hostname: k8s-m1
          Icon name: computer-vm
            Chassis: vm 🖴
         Machine ID: 6f17adb8b3e74f8485e479e2b323d04c
            Boot ID: 4d5e04a96a1246c5a4efc11deec207cc
     Virtualization: kvm
   Operating System: Debian GNU/Linux 12 (bookworm)   
             Kernel: Linux 6.1.0-13-amd64
       Architecture: x86-64
    Hardware Vendor: QEMU
     Hardware Model: Standard PC _i440FX + PIIX, 1996_
   Firmware Version: 1.16.0-debian-1.16.0-5
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to