Ingress in AKO does not get an IP address assigned due to an error "msg: secret: has been deleted, err: resource name may not be empty"
search cancel

Ingress in AKO does not get an IP address assigned due to an error "msg: secret: has been deleted, err: resource name may not be empty"

book

Article ID: 386439

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • This issue occurs if the Ingress is missing secret in the config, which is why AKO is not able to process it and assign IP.
  • An ingress will be created; however, the ingress do not get an IP assigned to it
    infraservidores@vml-bootstrap:~/echoheaders$ kubectl get ing -n default
    NAME          CLASS       HOSTS                      ADDRESS     PORTS     AGE
    test          avi-lb    test.k8s.internal            80, 443     4m24s 
  • Messages such as below are noticed below in AKO logs 
    2025-01-14T16:11:31.032Z        ^[[33mWARN^[[0m nodes/avi_model_evh_nodes.go:1273       key: Service/echo2/test, msg: secret:  has been deleted, err: resource name may not be empty
    2025-01-14T16:11:31.043Z        ^[[33mWARN^[[0m nodes/avi_model_evh_nodes.go:1273       key: Service/echo2/test, msg: secret:  has been deleted, err: resource name may not be empty
    2025-01-14T16:11:31.049Z        ^[[33mWARN^[[0m nodes/avi_model_evh_nodes.go:1273       key: Service/echo2/test, msg: secret:  has been deleted, err: resource name may not be empty

 

Environment

TKGs, AKO 1.12.1

Resolution

  • To add TLS secret to the Ingress configuration for Avi Load Balancer, you need to: 
    • First create a TLS secret containing the certificate and private key, below is an example:
      kubectl create secret tls test-tls-secret \
        --cert=path/to/cert.pem \
        --key=path/to/key.pem
    • Then modify the Ingress YAML to reference the secret, below is an example:
      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        annotations: {}
        labels: {}
        name: test
        namespace: default
      spec:
        ingressClassName: avi-lb
        rules:
        - host: test.k8s.internal
          http:
            paths:
            - backend:
                service:
                  name: test
                  port:
                    number: 8080
              path: /
              pathType: Prefix
        tls:
        - hosts:
          - test.k8s.internal
          secretName: test-tls-secret
  • The key changes required are:
    • Add the `secretName` field under the `tls` section to specify which secret contains the TLS certificate
    • Ensure the hostname in `tls.hosts` matches the hostname specified in `rules.host`
    • The secret must exist in the same namespace as the Ingress resource
  • Refer https://techdocs.broadcom.com/us/en/vmware-security-load-balancing/avi-load-balancer/avi-kubernetes-operator/AKO/avi-kubernetes-operator-1-12/avi-kubernetes-operator/handling-of-kubernetes-openshift-and-avi-objects.html