nabsul/kcert

KCert Renewal of secret failed, when hosts in ingress decreased

Closed this issue · 4 comments

Thank you for this repository.
I have been using kcert. It works well to create certificate.

When I changed hosts of ingress (decreased host entry from already existing), and after that in renewal time, I got email KCert Renewal of secret failed periodically.
When I delete ingress and secret of the ingress and deploy ingress again. It seems to work again and not get failure email.

Do I need to delete the secret of ingress when I changed (deleted) some host entries from ingress to match entries?

maybe I am doing wrong thing or I am using older version (v1.0.0).

Interesting! That sounds like a flaw in my design. I think KCert scans all ingresses and existing secrets to decide on which hosts to request for the cert. It should probably only look at ingresses (and config maps). It should be an easy fix. It might take a couple of weeks for me to find time to do this though.

In the meantime, you should be able to work around this easily: Easily delete and recreate as you mentioned, or the safer way: Define a new secret with your new host list, and the delete the old unused secret.

this should be fixed now

Thank you for update.
Recently I tested reduction of entries using newer version of Kcert. It seems to be working at least in my test ingress.

Yep, this was fixed a couple months ago!