Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Expiry Metrics Not Updated Until Ingress Resource Is Updated #4001

Closed
Evesy opened this issue Apr 12, 2019 · 2 comments
Closed

SSL Expiry Metrics Not Updated Until Ingress Resource Is Updated #4001

Evesy opened this issue Apr 12, 2019 · 2 comments

Comments

@Evesy
Copy link

Evesy commented Apr 12, 2019

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

ssl, expiry, metrics

Is this a BUG REPORT or FEATURE REQUEST? (choose one): Bug

NGINX Ingress controller version:
0.24.0

Kubernetes version (use kubectl version):
1.12.6-gke.7

Environment:

  • Cloud provider or hardware configuration: GKE
  • OS (e.g. from /etc/os-release): COS

What happened:

  • A previously decommissioned application was redeployed, including an Ingress resource.
  • The secret that held the certificate was never removed but was now expired
  • Nginx configured the Ingress, and set the ssl_expiry metric accordingly (Which triggered Prometheus alert as it was expired)
  • The certificate was renewed shortly after that (by cert-manager), and Nginx reloaded with the new cert
  • SSL expiry metric was not updated until ~12 hours later (Which looks to be due to an update on the corresponding Ingress resource, looking at Kubernetes events)

What you expected to happen:

  • When Nginx detects a change in the certificate & reloads, the ssl_expiry time metric should also be updated.

How to reproduce it (as minimally and precisely as possible):

  • Create a secret with an expired certificate
  • Create an Ingress using that secret
  • SSL Expiry metric should be created with the expire time being in the past
  • Update the secret to now be a non-expired certificate
  • Metric is not updated accordingly

Anything else we need to know:
@elcomtik
Copy link

We experienced similar issue:

our setup:
NGINX Ingress controller version: 0.24.1
K8s version: 1.12.7-gke.10
cloud provider GKE
OS: COS

What actually happened?

  • we have multiple certificates managed by cert-manager
  • we collect nginx_ingress_controller_ssl_expire_time_seconds metrics by prometheus
  • cert-manager reissued bunch of certificates at once
  • metric for one of them was not updated, it showed expiration time for old certificate
  • we checked if cert is reissued and load properly by nginx, the certificate provided to http client was the correct one
  • this metric was not updated for almost 6days, until we killed pod with nginx ingress
  • after pod was started, it started exporting correct metric for this certificate

I expect it should export metrics for certificate which is used

Unfortunately I did not reproduced issue.

I hope fixing issue mentioned above might fix this one.

@aledbf
Copy link
Member

aledbf commented Jun 14, 2019

Closing. Fixed in #4160

@aledbf aledbf closed this as completed Jun 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aledbf @elcomtik @Evesy