Ingress in AKO does not get an IP address assigned due to an error "msg: secret: has been deleted, err: resource name may not be empty"
search cancel

Ingress in AKO does not get an IP address assigned due to an error "msg: secret: has been deleted, err: resource name may not be empty"

book

Article ID: 386439

calendar_today

Updated On: 01-22-2025

Products

VMware Avi Load Balancer

Issue/Introduction

  • This issue occurs if the Ingress is missing secret in the config, which is why AKO is not able to process it and assign IP.
  • An ingress will be created; however, the ingress do not get an IP assigned to it 
    infraservidores@vml-bootstrap:~/echoheaders$ kubectl get ing -n default
NAME          CLASS       HOSTS                      ADDRESS     PORTS     AGE
test          avi-lb    test.k8s.internal            80, 443     4m24s
  • Messages such as below are noticed below in AKO logs  
    2025-01-14T16:11:31.032Z        ^[[33mWARN^[[0m nodes/avi_model_evh_nodes.go:1273       key: Service/echo2/test, msg: secret:  has been deleted, err: resource name may not be empty
2025-01-14T16:11:31.043Z        ^[[33mWARN^[[0m nodes/avi_model_evh_nodes.go:1273       key: Service/echo2/test, msg: secret:  has been deleted, err: resource name may not be empty
2025-01-14T16:11:31.049Z        ^[[33mWARN^[[0m nodes/avi_model_evh_nodes.go:1273       key: Service/echo2/test, msg: secret:  has been deleted, err: resource name may not be empty

 

Environment

TKGs, AKO 1.12.1

Resolution

  • To add TLS secret to the Ingress configuration for Avi Load Balancer, you need to: 
    • First create a TLS secret containing the certificate and private key, below is an example: 
      kubectl create secret tls test-tls-secret \
  --cert=path/to/cert.pem \
  --key=path/to/key.pem
    • Then modify the Ingress YAML to reference the secret, below is an example: 
      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations: {}
  labels: {}
  name: test
  namespace: default
spec:
  ingressClassName: avi-lb
  rules:
  - host: test.k8s.internal
    http:
      paths:
      - backend:
          service:
            name: test
            port:
              number: 8080
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - test.k8s.internal
    secretName: test-tls-secret
  • The key changes required are:
    • Add the `secretName` field under the `tls` section to specify which secret contains the TLS certificate
    • Ensure the hostname in `tls.hosts` matches the hostname specified in `rules.host`
    • The secret must exist in the same namespace as the Ingress resource
  • Refer https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-kubernetes-operator/AKO/avi-kubernetes-operator-1-12/avi-kubernetes-operator/handling-of-kubernetes-openshift-and-avi-objects.html 
Powered by Wolken Software