hpanneti
Reputation: 61
nginx ingress-controller error : admission webhook "validate.nginx.ingress.kubernetes.io" denied the request host and path already defined
Test1 I created an ingress with a cert-manager annotation. This one fails with the following error "nginx ingress-controller error : admission webhook "validate.nginx.ingress.kubernetes.io" denied the request host and path already defined "
Test2 I created the same ingress but without the cert-manager annotation. This one succeeds.
Nginx release
$ kubectl exec ngingress-ingress-nginx-controller-7f4db9965c-ht8t9 -- /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.1.0
Build: cacbee86b6ccc45bde8ffc184521bed3022e7dee
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.19.9
-------------------------------------------------------------------------------
Cert-manager release
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml
Details of test1
# cat test-ingress-cert.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sso-production
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
namespace: prod
spec:
tls:
- hosts:
- sso.mydomain.com
secretName: quickstart-example-tls
rules:
- host: sso.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sso
port:
number: 8080
# kubectl create -f test-ingress-cert.yaml
Error from server (BadRequest): error when creating "test-ingress-cert.yaml":
admission webhook "validate.nginx.ingress.kubernetes.io" denied the request:
host "sso.mydomain.com" and path "/" is already defined in ingress prod/sso-echopen-tls
# kubectl get ingress --all-namespaces
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
prod gateway-echopen-tls <none> gateway.mydomain.com 152.228.169.166 80, 443 7d
prod hapi-echopen-tls <none> hapi.mydomain.com 152.228.169.166 80, 443 9d
prod reader-echopen-tls <none> reader.mydomain.com 152.228.169.166 80, 443 7d
# kubectl get issuers.cert-manager.io -n prod
NAME READY AGE
letsencrypt-staging True 87m
# kubectl get all -n cert-manager
NAME READY STATUS RESTARTS AGE
pod/cert-manager-77fd97f598-c54px 1/1 Running 0 138m
pod/cert-manager-cainjector-7974c84449-vx54h 1/1 Running 0 138m
pod/cert-manager-webhook-5f4b965fbd-nccw5 1/1 Running 0 138m
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/cert-manager ClusterIP 10.3.44.182 <none> 9402/TCP 138m
service/cert-manager-webhook ClusterIP 10.3.21.35 <none> 443/TCP 138m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cert-manager 1/1 1 1 138m
deployment.apps/cert-manager-cainjector 1/1 1 1 138m
deployment.apps/cert-manager-webhook 1/1 1 1 138m
NAME DESIRED CURRENT READY AGE
replicaset.apps/cert-manager-77fd97f598 1 1 1 138m
replicaset.apps/cert-manager-cainjector-7974c84449 1 1 1 138m
replicaset.apps/cert-manager-webhook-5f4b965fbd 1 1 1 138m
# kubectl get all -n default
NAME READY STATUS RESTARTS AGE
pod/ngingress-ingress-nginx-controller-7f4db9965c-ht8t9 1/1 Running 0 9d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.3.0.1 <none> 443/TCP 89d
service/ngingress-ingress-nginx-controller LoadBalancer 10.3.34.184 152.228.169.166 80:30370/TCP,443:31584/TCP 23d
service/ngingress-ingress-nginx-controller-admission ClusterIP 10.3.82.29 <none> 443/TCP 23d
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/ngingress-ingress-nginx-controller 1/1 1 1 23d
NAME DESIRED CURRENT READY AGE
replicaset.apps/ngingress-ingress-nginx-controller-764c5b9596 0 0 0 10d
replicaset.apps/ngingress-ingress-nginx-controller-78fdb596f9 0 0 0 9d
replicaset.apps/ngingress-ingress-nginx-controller-7f4db9965c 1 1 1 23d
replicaset.apps/ngingress-ingress-nginx-controller-88fb6466f 0 0 0 9d
# kubectl logs cert-manager-webhook-5f4b965fbd-nccw5 -n cert-manager
W1220 10:28:37.440085 1 client_config.go:615] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
W1220 10:28:37.443639 1 client_config.go:615] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I1220 10:28:37.443841 1 webhook.go:70] cert-manager/webhook "msg"="using dynamic certificate generating using CA stored in Secret resource" "secret_name"="cert-manager-webhook-ca" "secret_namespace"="cert-manager"
I1220 10:28:37.444238 1 server.go:140] cert-manager/webhook "msg"="listening for insecure healthz connections" "address"=":6080"
I1220 10:28:37.444330 1 server.go:171] cert-manager/webhook "msg"="listening for secure connections" "address"=":10250"
I1220 10:28:37.444369 1 server.go:203] cert-manager/webhook "msg"="registered pprof handlers"
I1220 10:28:38.507011 1 dynamic_source.go:273] cert-manager/webhook "msg"="Updated serving TLS certificate"
# kubectl logs cert-manager-77fd97f598-c54px -n cert-manager
I1220 10:28:35.975050 1 start.go:75] cert-manager "msg"="starting controller" "git-commit"="49914a057b39c887be0974c4657c095bd7724bc7" "version"="v1.6.0"
W1220 10:28:35.975206 1 client_config.go:615] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I1220 10:28:35.977657 1 controller.go:268] cert-manager/controller/build-context "msg"="configured acme dns01 nameservers" "nameservers"=["10.3.0.10:53"]
I1220 10:28:35.978527 1 controller.go:85] cert-manager/controller "msg"="enabled controllers: [certificaterequests-approver certificaterequests-issuer-acme certificaterequests-issuer-ca certificaterequests-issuer-selfsigned certificaterequests-issuer-vault certificaterequests-issuer-venafi certificates-issuing certificates-key-manager certificates-metrics certificates-readiness certificates-request-manager certificates-revision-manager certificates-trigger challenges clusterissuers ingress-shim issuers orders]"
I1220 10:28:35.978792 1 controller.go:115] cert-manager/controller "msg"="starting leader election"
I1220 10:28:35.979117 1 controller.go:105] cert-manager/controller "msg"="starting metrics server" "address"={"IP":"::","Port":9402,"Zone":""}
I1220 10:28:35.979810 1 leaderelection.go:248] attempting to acquire leader lease kube-system/cert-manager-controller...
I1220 10:29:40.695753 1 leaderelection.go:258] successfully acquired lease kube-system/cert-manager-controller
I1220 10:29:40.696143 1 controller.go:163] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-vault"
I1220 10:29:40.696185 1 controller.go:163] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-venafi"
I1220 10:29:40.696436 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-approver"
I1220 10:29:40.696548 1 controller.go:163] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-ca"
I1220 10:29:40.696615 1 controller.go:163] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-selfsigned"
I1220 10:29:40.696651 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificates-readiness"
I1220 10:29:40.696658 1 controller.go:163] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="gateway-shim"
I1220 10:29:40.696693 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificates-metrics"
I1220 10:29:40.697253 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-ca"
I1220 10:29:40.697471 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-acme"
I1220 10:29:40.697540 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-selfsigned"
I1220 10:29:40.697963 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-venafi"
I1220 10:29:40.698062 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificates-trigger"
I1220 10:29:40.698111 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificates-request-manager"
I1220 10:29:41.504721 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="challenges"
I1220 10:29:41.504762 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="orders"
I1220 10:29:41.504819 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificates-issuing"
I1220 10:29:41.504853 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificates-key-manager"
I1220 10:29:41.504884 1 controller.go:163] cert-manager/controller "msg"="not starting controller as it's disabled" "controller"="certificatesigningrequests-issuer-acme"
I1220 10:29:41.504942 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificates-revision-manager"
I1220 10:29:41.505066 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="clusterissuers"
I1220 10:29:41.505141 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="ingress-shim"
I1220 10:29:41.505220 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="issuers"
I1220 10:29:41.505467 1 controller.go:186] cert-manager/controller "msg"="starting controller" "controller"="certificaterequests-issuer-vault"
I1220 12:31:42.402384 1 setup.go:219] cert-manager/controller/issuers "msg"="ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging" "related_resource_namespace"="prod" "resource_kind"="Issuer" "resource_name"="letsencrypt-staging" "resource_namespace"="prod" "resource_version"="v1"
I1220 12:31:43.291565 1 setup.go:309] cert-manager/controller/issuers "msg"="verified existing registration with ACME server" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging" "related_resource_namespace"="prod" "resource_kind"="Issuer" "resource_name"="letsencrypt-staging" "resource_namespace"="prod" "resource_version"="v1"
I1220 12:31:43.291617 1 conditions.go:95] Setting lastTransitionTime for Issuer "letsencrypt-staging" condition "Ready" to 2021-12-20 12:31:43.291609136 +0000 UTC m=+7387.349555559
I1220 12:31:43.324585 1 setup.go:202] cert-manager/controller/issuers "msg"="skipping re-verifying ACME account as cached registration details look sufficient" "related_resource_kind"="Secret" "related_resource_name"="letsencrypt-staging" "related_resource_namespace"="prod" "resource_kind"="Issuer" "resource_name"="letsencrypt-staging" "resource_namespace"="prod" "resource_version"="v1"
# kubectl logs ngingress-ingress-nginx-controller-7f4db9965c-ht8t9 -n default -f
I1220 12:53:53.630296 7 status.go:300] "updating Ingress status" namespace="prod" ingress="gateway-echopen-tls" currentValue=[{IP:152.228.169.166 Hostname: Ports:[]}] newValue=[{IP:152.228.169.166 Hostname: Ports:[]}]
I1220 12:53:54.736079 7 status.go:300] "updating Ingress status" namespace="prod" ingress="hapi-echopen-tls" currentValue=[{IP:152.228.169.166 Hostname: Ports:[]}] newValue=[{IP:152.228.169.166 Hostname: Ports:[]}]
I1220 12:53:54.742908 7 status.go:300] "updating Ingress status" namespace="prod" ingress="reader-echopen-tls" currentValue=[{IP:152.228.169.166 Hostname: Ports:[]}] newValue=[{IP:152.228.169.166 Hostname: Ports:[]}]
E1220 12:54:23.467892 7 main.go:90] "invalid ingress configuration" err="host \"sso.mydomain.com\" and path \"/\" is already defined in ingress prod/sso-echopen-tls" ingress="sso-production/prod"
Details of Test 2
Same ingress but without the cert-manager annotation succeeds !
# cat ingress-sso-echopen-tls.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 8m
name: sso-echopen-tls
namespace: prod
spec:
tls:
- hosts:
- sso.mydomain.com
secretName: ingress-echopen-secret-tls
rules:
- host: sso.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sso
port:
number: 8080
# kubectl create -f ingress-sso-echopen-tls.yaml
ingress.networking.k8s.io/sso-echopen-tls created
# kubectl get ingress --all-namespaces
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
prod gateway-echopen-tls <none> gateway.mydomain.com 152.228.169.166 80, 443 7d
prod hapi-echopen-tls <none> hapi.mydomain.com 152.228.169.166 80, 443 9d
prod reader-echopen-tls <none> reader.mydomain.com 152.228.169.166 80, 443 7d
prod sso-echopen-tls <none> sso.mydomain.com 152.228.169.166 80, 443 26s
Upvotes: 6
Views: 18961
Answers (1)
drtob
Reputation: 373
The same domain name probably exist within the ingress. You can delete the ingress by executing following command:
kubectl get ingress --all-namespaces
to list installed ingresses
kubectl delete ingress ingress-name -n ingress-namespace,
to delete the troublesome ingress
then re-run your command.
Upvotes: 8
Related Questions
- Nginx Ingress Controller - Failed Calling Webhook
- Failed calling webhook "validate.nginx.ingress.kubernetes.io": error while applying the ingress in Kubernetes
- Kubernetes Ingress: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io"
- Kubernetes Ingress Controller Fake Certificate error
- kubernetes ingress-nginx-controller: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io" no route to host
- Getting failed calling webhook "validate.nginx.ingress.kubernetes.io": error when applying ingress resource/rules yaml file in NginxIngress Controller
- Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io"
- Ingress nginx cert-manager certificate invalid on browser
- cert-manager-webhook: FailedDiscoveryCheck, namespace hangs in termination
- K8s Ingress, initiate ingress controller nginx error?