If you've ever tried to deploy a GKE loadbalancer automatically using the Ingress Obejct in Kubernetes v1.16+ with TLS setup and Cert Manager to automatically do certificate requests, then you may have experienced an issue where the Load Balancer is never created and the Ingress is left in an error state.

What does the problem look like?

If you click on your ingress in the Google Cloud Platform Console you'll notice an error in a box above your Ingress' details saying something along the lines of: Error syncing to GCP: error running load balancer syncing routine: error getting secrets for Ingress: secret "tls-cert-123xx" does not specify cert as string data This is due to the fact that when attempting to create the LoadBalancer from the Ingress config, the LoadBalancer expects that a TLS sercret will be available with both a tls.secret and tls.key attributes.

If you have Cert Manager installed like my client did, then you'd expect that Cert Manager would automatically install a self-signed certificate until it could recieve a validation response from the letsencrypt ACME API callback. Unfortunately it doesn't seem to set this up and this leaves us in a weird chicken-before-the-egg syndrome.

When does this issue happen?

This issue is likely only to happen if you've created the cluster with Cert Manager and the Ingress being automatically created by some sort of deployment system like Ansible. As long as you create the Ingress first followed by installing Cert Manager then you won't have this problem.

How do I fix this issue if I already have my Ingress annotated and Cert Manager installed?

Put the "cert-manager.io/issue-temporary-certificate": "true" (link to cert-manager docs) annotation on the Ingress to create a fake certificate until the LoadBalancer is recieving traffic .


Running into issues?

Reach out to us by using our Contact Form on devdemand.co, leave a comment below, or find us in most of the Open Source Infrastructure Slack Groups like CNCF and Kubernetes!