Very long timeouts on certificate fetches

[lorenz]

NGINX Ingress controller version: beta-15

Kubernetes version (use kubectl version): 1.7

What happened:
ingress-nginx goes into CrashLoopBackoff if the certificate provider is down or the internet can't be reached:
ssl.go:185] unexpected error generating SSL certificate with full chain: Get http://cert.int-x3.letsencrypt.org/: dial tcp: i/o timeout

This connection has a 30s timeout, which is longer than the 10s Kubernetes waits for the pod to become healthy

What you expected to happen:
As far as I know the kube-lego addon provides full chains anyways, so this request should not even happen.

How to reproduce it (as minimally and precisely as possible):
Use any CA who'se servers are down and start ingress-nginx

[lorenz]

Was actually not the CA being down but a routing protocol problem, but still could've been caused by that.

[rikatz]

This happens here . I had the same issue here, caused by blocked egress internet connections. Still this should be solved, probably inside the certUtil package (and not Ingress)

[lorenz]

Yes, I have seen that code snippet as well. I think there are two issues here:

1. certutil downloads certificates when it shouldn't (I looked into the cert secrets, they are full-chain)
2. Should the ingress itself do any downloading? I think all this should really be handled by a separate stateless service which is responsible for filling in certificate chains (this would also be optional for people who don't want that or don't care).

[aledbf]

@lorenz @rikatz please test the image quay.io/aledbf/nginx-ingress-controller:0.279

[aledbf]

1. certutil downloads certificates when it shouldn't (I looked into the cert secrets, they are full-chain)

This is done in asynchronously now.

2. Should the ingress itself do any downloading?

It depends. Secrets should be created with all the intermediate certificates. This is just one of the ways to fix any issue in order to enable OCSP in nginx.