kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

[ssl] use `crt-list` to map SNI to certs

Open bedis opened this issue 6 years ago • 0 comments

Kubernetes ingress rules allows associating domains to certificates. IE:

kind: Ingress
metadata:
  name: foo-tls
  namespace: default
spec:
  tls:
  - hosts:
    - foo.bar.com
    secretName: foobar
  - hosts:
    - bar.baz.com
    secretName: barbaz

This would work out of the box with current implementation because there is no overlap between foo.bar.com and bar.baz.com.

Now, let's try this:

kind: Ingress
metadata:
  name: foo-tls
  namespace: default
spec:
  tls:
  - hosts:
    - foo.bar.com
    secretName: bar-wildcard
  - hosts:
    - www.bar.com
    secretName: bar-www

The configuration above can be "translated" into HAProxy's crt-list feature: https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.1-crt-list.

The beauty is that this will allow to implement "per host" some SSL/TLS options (that could be set as annotation in the ingress rule).

bedis avatar Jul 11 '19 05:07 bedis