What happened?
I’m using pomerium ingressclass v0.29 with letsencrypt issuer in kubernetes. I think I am in a loophole and i can’t figure out if it is a bug or missconfiguration.
I’m creating an ingress for a service, but when I apply the ingress, pomerium complains that the secretName passed to tls section does not exists and the reconcile fails.
the problem seems to arise because pomerium do not register the route, needed by http challenge, so letsencrypt issuer cannot issue the secret (i have a temporary secret named tls-war-data-bridge-[garbage], but it normally gets deleted when the challenge succeed). so the cert manager can’t create the secret because the route is not registerd, and pomerium can’t register the route because the secret is not there.
What did you expect to happen?
I expected pomerium to still register the route waiting for cert-manager to issue the certificate’s secret
What’s your config.yaml?
------ ingress
ingress:
enabled: true
annotations:
cert-manager.io/issuer: letsencrypt-iap-prod
ingress.pomerium.io/pass_identity_headers: 'true'
ingress.pomerium.io/policy: |
allow:
or:
- claim/cluster-roles: "CLUSTER:ADMIN"
- claim/cluster-roles: "CLUSTER:RAW:READ"
className: pomerium
tls:
- hosts:
- <my ip reachable from pomerium loadbalancer>
secretName: tls-raw-data-bridge
hosts:
- host: <my ip reachable from pomerium loadbalancer>
paths:
- path: "/"
pathType: Prefix
---- Clusterissuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-iap-prod
spec:
# following https://cert-manager.io/docs/tutorials/acme/nginx-ingress/
acme:
# The ACME server URL
server: https://acme-v02.api.letsencrypt.org/directory
# Email address used for ACME registration
email: <some email here>
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: letsencrypt-iap-prod
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
ingressClassName: pomerium
What did you see in the logs?
│ {"level":"info","ts":"2025-07-08T14:51:31Z","msg":"Warning: Reconciler returned both a non-zero result and a non-nil error. The result will always be ignored if the error is non-nil and the non-nil error causes requeuing with expone │
│ ntial backoff. For more details, see: https://pkg.go.dev/sigs.k8s.io/controller-runtime/pkg/reconcile#Reconciler","controller":"pomerium-ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"ra │
│ w-data-bridge","namespace":"core"},"namespace":"core","name":"raw-data-bridge","reconcileID":"7157c3b3-2444-4f6d-aae9-b9f795846342"} │
│ {"level":"error","ts":"2025-07-08T14:51:31Z","msg":"Reconciler error","controller":"pomerium-ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"raw-data-bridge","namespace":"core"},"namespac │
│ e":"core","name":"raw-data-bridge","reconcileID":"7157c3b3-2444-4f6d-aae9-b9f795846342","error":"fetch ingress related resources: tls: get secret core/tls-raw-data-bridge: Secret \"tls-raw-data-bridge\" not found"} │
│ {"level":"info","time":"2025-07-08T14:51:31Z","message":"neither autocert, insecure_server or manually provided certificates were provided, server will be using a self-signed certificate"}
Additional context
Add any other context about the problem here.
