cert-manager: http01.ingress.class doesn't work

Describe the bug: Ingress class is not assigned to ingress when it’s provisioned for a certificate request.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    # You must replace this email address with your own.
    # Let's Encrypt will use this to contact you about expiring
    # certificates, and issues related to your account.
    email: <email>
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: issuer-account-key
    # Add a single challenge solver, HTTP01 using nginx
    solvers:
    - http01:
        ingress:
          class: traefik
          ingressTemplate:
            metadata:
              annotations:
                metallb.universe.tf/allow-shared-ip: "internet-facing"
                metallb.universe.tf/address-pool: internet

for code blocks of your kubectl output or YAML files. –>

Expected behaviour: Assign correct ingress class to ingress.

Steps to reproduce the bug:

  1. Create the ClusterIssuer specified above.
  2. Create certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: <name>
  namespace: default
spec:
  # Secret names are always required.
  secretName: <secretName>
  duration: 2160h
  renewBefore: 360h
  subject:
    organizations:
      - <Org>
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
    - <dnsName>
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
  1. Ingress is created, but without class: image Anything else we need to know?: UPDATE 4-04-2023 I also tried the kubernetes.io/ingress.class annotation, but this one also doesn’t work. The annotation works, but it doesn’t update the className when you run kubectl get ingress. This was a misconception on my end.

Environment details::

  • Kubernetes version: 1.25.6
  • Cloud-provider/provisioner: Metallb/traefik
  • cert-manager version: 1.11.0
  • Install method: static manifests

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 2
  • Comments: 18 (6 by maintainers)

Most upvoted comments

What do you mean by “This did not work like documented”? When using the configuration

  - http01:
        ingress:
          class: traefik

then the documented behavior is that an Ingress resource is created with the annotation kubernetes.io/ingress.class: traefik. That’s how the field class works, it generates an Ingress resource with the annotation.

+2
maelvls on Apr 4, 2023

@maelvls I know it’s alpha but in the pre-release version ingressClassName still doesn’t seem to work and ingress resources are created without spec.ingressClassName. In your validation environment could you check whether having the default class name nginx is why it’s working?

Example:

  - http01:
      ingress:
        ingressClassName: some-class-name
+1
jukie on Apr 11, 2023

I just released v1.12.0-alpha.1. In this release, you will be able to use ingressClassName. It is documented in https://release-next--cert-manager-website.netlify.app/docs/configuration/acme/http01/#ingressclassname.

+1
maelvls on Apr 3, 2023
Read more comments on GitHub
← cert-manager: HTTP01 challenge fails, solver pod short-lived and all its traces wiped out
cert-manager: ingress-gce: ACME certificates fail to issue for the first time →