Strimzi Kafka on GKE - LetsEncrypt cert(secret) getting generated with name+randomtext

[karanalang]

Hello -

I'm using terraform to create a GKE cluster & deploy Strimzi Kafka(v0.38), and the script is using ACME protocol to get certificate from LetsEncrypt,
and running into issues wherein the secret being created (when deploying certificate.yaml) is created with random string attached to the secret name.

Script does the following :

2. creates a GKE cluster (version - 1.30.5-gke.1355000)

3. Installs cert-manager in namespace cert-manager,
   version of cert-manager - v1.13.2

Command :
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml

Install External-DNS (in namespace - kafka)

creates ClusterIssuer for prod & staging

creates Certificate (in namespace - kafka)

Finally, it deploys Strimzi kafka (v0.38)

Here is the certifcate.yaml & values.yaml for the helm chart

certificate.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ .Values.cluster.name }}-lets-encrypt
spec:
  secretName: {{ .Values.cluster.name }}-lets-encrypt
  issuerRef:
    name: {{ .Values.cluster.name }}-letsencrypt-staging
    kind: ClusterIssuer
    group: cert-manager.io
  subject:
    organizations:
      - {{ .Values.acme.organizations }}
  dnsNames:
    - bootstrap.{{ .Values.acme.dns_name }}
    - broker-0.{{ .Values.acme.dns_name }}
    - broker-1.{{ .Values.acme.dns_name }}
    - broker-2.{{ .Values.acme.dns_name }}


values.yaml:
 
cluster:
  name: "versa-kafka-poc-tf2"
project:
  id: "versa-kafka-poc"
acme: 
  zone_name: "vkp2-versa-vani" # org - vkp-versa-vani
  dns_name: "vkp2.versa-vani.com" # vkp-versa-vani.com
  email: "[email protected]"
  organizations: "vkp2-versa-vani" # vkp2-versa-vani


(base) Karans-MacBook-Pro:~ karanalang$ kc get secrets -n kafka | grep encrypt
versa-kafka-poc-tf2-lets-encrypt-rgjht                Opaque               1      2d4h
versa-kafka-poc-tf2-letsencrypt-prod-account-key      Opaque               1      2d4h
versa-kafka-poc-tf2-letsencrypt-staging-account-key   Opaque               1      2d4h

Describing the cert shows error that the Cert is not ready, since the required secret (versa-kafka-poc-tf2-lets-encrypt) is not available, instead the secret is created with a random string attached to the name:

(base) Karans-MacBook-Pro:~ karanalang$ kc get cert versa-kafka-poc-tf2-lets-encrypt -n kafka -o yaml


status:
  conditions:
  - lastTransitionTime: "2024-11-02T01:01:26Z"
    message: Issuing certificate as Secret does not exist
    observedGeneration: 1
    reason: DoesNotExist
    status: "True"
    type: Issuing
  - lastTransitionTime: "2024-11-02T01:01:26Z"
    message: Issuing certificate as Secret does not exist
    observedGeneration: 1
    reason: DoesNotExist
    status: "False"
    type: Ready
  nextPrivateKeySecretName: versa-kafka-poc-tf2-lets-encrypt-rgjht

Question is - why is the secret getting created with a random string added to the secret name ?
How to debug/fix this ?

tia!

[ppatierno]

I don't think that this question is related to Strimzi. It's just about how cert-manager and how it works and also it's not integrated within Strimzi yet.