Description
Describe the bug
Our setup requires us to set a netprofile on our Ingress resources to ensure the correct routing from the Netscaler VPX to the k8s nodes. However the way to set the netprofile is with the ingress.citrix.com/servicegroup annotation which requires a JSON object with the exact name of the backend service as it's value. As the name of the cert-manager solver service is dynamic (e.g. cm-acme-http-solver-jvpp8) this is impossible to achieve.
To Reproduce
- Steps
- Deploy Netscaler Ingress Controller, Verify Netscaler API connection
- Deploy Cert-Manager and a Letsencrypt Issuer with the following config:
solvers:
- http01:
ingress:
serviceType: NodePort
ingressClassName: netscaler
ingressTemplate:
metadata:
annotations:
ingress.citrix.com/frontend-ip: XX.XXX.XXX.XXX
ingress.citrix.com/servicegroup: '{"cm-acme-http-solver":{"netProfile":"lorem-ipsum"}}'
- Deploy a k8s Ingress with required annotations for cert-manager to create a CertificateRequest
- The ingress controller will create the resources in Netscaler but without the netprofile set
- Version of the NetScaler Ingress Controller
- 2.2.10
- Version of MPX/VPX/CPX
- Environment variables (minus secrets)
- Deployed with Helm, only
nsIP,adcCredentialSecretandingressClassset.
Expected behavior
The documentation doesn't explicitly state that the names in the annotation and the backend service name need to match. This was discovered in the following issue: #523 (comment)
I would expect this to be less strict and to allow '{"cm-acme-http-solver":{"netProfile":"lorem-ipsum"}}' to match backend.service.name: cm-acme-http-solver-j48h5.
An alternative would be for there to be a direct ingress.citrix.com/netprofile annotation that would function similar to the ingress.citrix.com/rewrite-responder_crd annotation, where if the value is a raw string it applies that netprofile to all services while still allowing more specific targeting.