kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon haproxytech

ingress with wildcard and ssl-passthrough take always precedence over https subdomain

Open ynuyasha opened this issue 1 year ago • 6 comments

Hi, i have configured two ingress like this: one subdomain argocd.domain.tld with https and one *.domain.tld with ssl-passthrough. With this configuration the haproxy configuration created by operator always give precedence on *.domain.tld domain and argocd.domain.tld use the wrong backend. Here the 2 ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    haproxy.org/forwarded-for: "true"
    haproxy.org/ssl-redirect: "true"
  creationTimestamp: "2023-07-10T09:31:24Z"
  generation: 3
  name: argocd-ingress
  namespace: argocd
  resourceVersion: "7763455"
  uid: b135288b-0b60-43b8-aad0-8eb2c75fb5c5
spec:
  ingressClassName: haproxy
  rules:
  - host: argocd.domain.tld
    http:
      paths:
      - backend:
          service:
            name: argocd-server
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
status:
  loadBalancer:
    ingress:
    - ip: 10.100.230.103

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    haproxy.org/forwarded-for: "true"
    haproxy.org/ssl-passthrough: "true"
    haproxy.org/ssl-redirect: "true"
  creationTimestamp: "2023-11-30T17:00:44Z"
  generation: 5
  labels:
    app.kubernetes.io/instance: trunk-dev
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: tt-trunk
    app.kubernetes.io/version: 1.16.0
    argocd.argoproj.io/instance: tt-dev
    helm.sh/chart: tt-trunk-0.1.0
  name: tt
  namespace: development
  resourceVersion: "88973236"
  uid: 1171b2cb-f9bf-4b1c-acd4-4c0c5a949c8a
spec:
  ingressClassName: haproxy
  rules:
  - host: '*.domain.tld'
    http:
      paths:
      - backend:
          service:
            name: sslpass
            port:
              number: 443
        path: /
        pathType: Prefix
status:
  loadBalancer:
    ingress:
    - ip: 10.100.230.103

I think the correct approach is too use the solution described here where the ssl-passthrough frontend check if exist subdomain with https and redirect them to the correct frontend/backend

ynuyasha avatar Jan 17 '24 17:01 ynuyasha

Hi @ynuyasha , I'm looking at it and will get back to you with some news. Thanks for reporting.

ivanmatmati avatar Jan 22 '24 10:01 ivanmatmati

Can you indicate what you get in your /etc/haproxy/maps/path-prefix.map file with regards to these two ingress paths ? I'd also like to get the version number of the controller and if relevant of HAProxy (if modified).

ivanmatmati avatar Jan 22 '24 10:01 ivanmatmati 

------------------host.map---------------------------------
.domain.tld                  .domain.tld
argocd.domain.tld                     argocd.domain.tld
-----------------path-prefix.map------------------------------------------------------------
.domain.tld/                  development_domain_https.dbe4b28f9c4404fc36a7ae76ead9a37d
argocd.domain.tld/                    argocd_argocd-server_http.dbe4b28f9c4404fc36a7ae76ead9a37d
----------------sni.map---------------------------------------------------------------------
.domain.tld                      development_domain_https.dbe4b28f9c4404fc36a7ae76ead9a37d
--------------------------------------------------------------------------------------------

Image: haproxytech/kubernetes-ingress:1.10.4 Image ID: docker.io/haproxytech/kubernetes-ingress@sha256:a378e3999ae728422425947e98ba3cbf72fc076fcb79462d98902921d298d20f

ynuyasha avatar Jan 22 '24 13:01 ynuyasha

Hi @ynuyasha , can you paste the output of a verbose curl to the wrong redirection ? Can you also check the log output for the request ?

ivanmatmati avatar Jan 31 '24 09:01 ivanmatmati

Hey @ivanmatmati unfortunately i don't have anymore this configuration online because i have switched from sni to http to go forward with the project, so i can't give you the curl but i have the haproxy logs with the wrong redirect:

172.30.106.217:57848 [16/Jan/2024:17:57:51.308] ssl development_domain_https/SRV_1 78/0/311 6130 -- 4/3/1/1/0 0/0 SNI: argocd.domain.tld

Anyway Daniel Epperson has also all hints about this issue

ynuyasha avatar Jan 31 '24 13:01 ynuyasha

Ingress Controller does this "fallback" behavior already if an incoming SNI is not matched on the ssl-passthrough listener (frontend ssl). The problem you were facing is that the your Ingress object with ssl-passthrough enabled was *.domain.tld so it always matched before any subdomains could be evaluated by the later frontend https.

To work around the issue you would need to not use the wildcard *.domain.tld in the ssl-passthrough Ingress object and instead specify each domain which need to use passthrough.

I think what you need is a "fallback" service with ssl-passthrough after all other options have been evaluated. For example a.domain.tld goes to svc a and b.domain.tld goes to svc b (both with SSL termination at IC) but anything else not matched by Ingress objects should fall back to svc sslpass with ssl passthrough enabled. Perhaps if "frontend ssl" was evaluated after "frontend https" this would do what you're asking?

depperson avatar Feb 02 '24 22:02 depperson

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 13 '24 11:03 stale[bot]