What happened?
I upgraded from operator to ingress-controller using chart version: 28.0.2
What did you expect to happen?
Define ingresscontroller as per your guide
ingressController:
enabled: true
image:
repository: "pomerium/ingress-controller"
tag: "v0.16.0"
ingressClassResource:
enabled: false
config:
ingressClass: "traefik-cert-manager"
operatorMode: true
Policy should be updated as it was in operator instead nothing happens.
How’d it happen?
- Ran
helm install - Checked policy
kubectl -n kube-system get secret pomerium-shared -o jsonpath='{.data.config\.yaml}' | base64 -d - Saw error
no routes were created
What’s your environment like?
- Pomerium version (retrieve with
pomerium --version): 0.16.2 - Server Operating System/Architecture/Cloud: AWS kops
What’s your config.yaml?
apiProxy:
enabled: true
insecure: false
insecureProxy: false
# operator:
# enabled: true
# image:
# repository: "pomerium/pomerium-operator"
# tag: "master"
# config:
# ingressClass: "traefik-cert-manager"
ingressController:
enabled: true
image:
repository: "pomerium/ingress-controller"
tag: "0.16.0"
# ingressClass: "traefik-cert-manager"
ingressClassResource:
enabled: true
# name: "traefik-cert-manager"
config:
ingressClass: "traefik-cert-manager"
operatorMode: true
What did you see in the logs?
{"level":"info","ts":1663603758.3110256,"logger":"controller.ingress","msg":"deleted from pomerium","reconciler group":"networking.k8s.io","reconciler kind":"Ingress","name":"traefik-dashboard","namespace":"dev","reason":"not marked to be managed by this controller"}
Additional context
Old working Ingress
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: traefik-dashboard
namespace: kube-system
annotations:
kubernetes.io/ingress.class: traefik-cert-manager
kubernetes.io/tls-acme: "true"
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
# traefik.ingress.kubernetes.io/router.middlewares: kube-system-basic-auth@kubernetescrd
ingress.kubernetes.io/ssl-proxy-headers: 'X-Forwarded-Proto: https'
ingress.pomerium.io/allowed_domains: '["domain.com"]'
ingress.pomerium.io/to: http://traefik-dashboard.kube-system:9000
ingress.pomerium.io/tls_skip_verify: "true"
ingress.pomerium.io/preserve_host_header: "true"
ingress.pomerium.io/pass_identity_headers: "true"
spec:
tls:
- hosts:
- dash.${domain}
secretName: dash-tls
rules:
- host: dash.${domain}
http:
paths:
- backend:
serviceName: pomerium-proxy
servicePort: 80
Add any other context about the problem here.
New ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-proxy-headers: 'X-Forwarded-Proto: https'
kubernetes.io/ingress.class: traefik-cert-manager
kubernetes.io/tls-acme: "true"
traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
traefik.ingress.kubernetes.io/router.tls: "true"
ingress.pomerium.io/tls_skip_verify: "true"
ingress.pomerium.io/preserve_host_header: "true"
ingress.pomerium.io/pass_identity_headers: "true"
ingress.pomerium.io/allow_any_authenticated_user: 'true'
name: traefik-dash
namespace: dev
spec:
ingressClassName: traefik-cert-manager
rules:
- host: traefik.domain.com
http:
paths:
- backend:
service:
name: traefik-dashboard
port:
number: 9000
path: /
pathType: Prefix
tls:
- hosts:
- traefik.domain.com
secretName: traefik-tls
