Skip to content
This repository has been archived by the owner on Aug 26, 2021. It is now read-only.

Recovering from Error 409: The resource '...' already exists, alreadyExists #95

Open
devth opened this issue Feb 23, 2017 · 5 comments
Open

Recovering from Error 409: The resource '...' already exists, alreadyExists #95

devth opened this issue Feb 23, 2017 · 5 comments

Comments

@devth
Copy link

devth commented Feb 23, 2017
edited
Loading

I was running kube-lego:0.1.1 for several month using the GCE Loadbalancers solution. It's been working well, automatically renewing certs for 3 of my domains as needed until recently, when one of my domains certs stopped working because it was expired.

kube-lego is still updating the secret, but something is wrong with the Ingress. It has events on it:

Events:
  FirstSeen     LastSeen        Count   From                            SubObjectPath   Type            Reason  Message
  ---------     --------        -----   ----                            -------------   --------        ------  -------
  20d           7m              16175   {loadbalancer-controller }                      Warning         GCE     googleapi: Error 409: The resource 'projects/foo/global/sslCertificates/k8s-ssl-1-foo-bar--c2cd235f2196d4d5' already exists, alreadyExists
  10d           13s             14385   {loadbalancer-controller }                      Warning         GCE     googleapi: Error 409: The resource 'projects/foo/global/sslCertificates/k8s-ssl-1-default-qux--c2cd235f2196d4d5' already exists, alreadyExists

It looks like 0.1.2 might have addressed this issue, so I upgraded my kube-lego deployment to 0.1.3. It started up fine, checked for certs, but it didn't need to update the one that wasn't working since the cert in the stored secret is recent.

What's the best way to recover? Can I force kube-lego to refresh a cert?
@devth
Copy link
Author

devth commented Feb 23, 2017

I increased LEGO_MINIMUM_VALIDITY to 80 days to force it to refresh. It successfully got a new certificate and stored it in the correct secret, but the alreadyExists issue remains.

@simonswine
Copy link
Contributor

This is a GCE ingress controller bug, please file the bug here:
https://github.com/kubernetes/ingress

@devth
Copy link
Author

devth commented Feb 23, 2017

Filed kubernetes/ingress-nginx#330. I guess I could just delete the SSL cert in gcloud, but I'm trying to figure out a non-destructive way to recover without downtime.

@devth
Copy link
Author

devth commented Mar 22, 2017

@simonswine any thoughts on how to get momentum on the issue filed on kubernetes/ingress or workaround the issue? I can easily recover by deleting the ingress but if this was production that would incur downtown.

@gianrubio
Copy link
Contributor

@devth this is related to kubernetes/ingress-nginx#609

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@devth @simonswine @gianrubio