ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard
verified publisher icon kubernetes

- --default-ssl-certificate ignores ca.crt

Open CodeGlitcher opened this issue 3 years ago • 4 comments

What happened:

We have nginx deployed with the argument - --default-ssl-certificate=infrastructure/k8s-cert This causes all our ingress rules to have default ssl. For a new application we needed nginx to pass a client cert to the backend. So we added:

    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: 'true'
    nginx.ingress.kubernetes.io/auth-tls-secret: infrastructure/k8s-cert
    nginx.ingress.kubernetes.io/auth-tls-verify-client: optional
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: '2

However we kept getting a bad request when sending a client certificate. After some trail and error I found that in the logs it said it was using this file as caFile: CAFileName:/etc/ingress-controller/ssl/infrastructure-k8s-cert.pem However this file only had the tls.key and cert.crt from my k8s-cert. When I remove default-ssl-certificate argument this file container both my ca.crt, tls.crt and tls.key from the k8s-cert secret. And now I no longer get a bad request when i send a client certificate.

What you expected to happen: I would expect that when default-ssl-certificate and nginx.ingress.kubernetes.io/auth-tls-secret both add all 3 files to infrastructure-k8s-cert.pem.

NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.): NGINX Ingress controller Release: v1.2.1 Build: 08848d69e0c83992c89da18e70ea708752f21d7a Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.19.10

Kubermets 1.23.6

CodeGlitcher avatar Aug 03 '22 10:08 CodeGlitcher

@CodeGlitcher: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 03 '22 10:08 k8s-ci-robot

can you post the output of kubectl get <ingressobjectname> -o yaml

longwuyuan avatar Aug 04 '22 05:08 longwuyuan

/remove-kind bug

longwuyuan avatar Aug 04 '22 05:08 longwuyuan 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"kubernetes.io/ingress.class":"nginx","nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream":"true","nginx.ingress.kubernetes.io/auth-tls-secret":"infrastructure/k8s-cert","nginx.ingress.kubernetes.io/auth-tls-verify-client":"optional","nginx.ingress.kubernetes.io/auth-tls-verify-depth":"2","nginx.ingress.kubernetes.io/backend-protocol":"HTTPS","nginx.ingress.kubernetes.io/rewrite-target":"/dmserverstub/$2","nginx.ingress.kubernetes.io/ssl-redirect":"false"},"labels":{"app.kubernetes.io/part-of":"dmserverstub"},"name":"dmserverstub-ingress","namespace":"default"},"spec":{"rules":[{"host":"<host>","http":{"paths":[{"backend":{"service":{"name":"dmserverstub","port":{"number":443}}},"path":"/dmserverstub(/|$)(.*)","pathType":"ImplementationSpecific"}]}}],"tls":[{"hosts":["<host>"],"secretName":"k8s-cert"}]}}
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    nginx.ingress.kubernetes.io/auth-tls-secret: infrastructure/k8s-cert
    nginx.ingress.kubernetes.io/auth-tls-verify-client: optional
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/rewrite-target: /dmserverstub/$2
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  creationTimestamp: "2022-08-05T09:33:10Z"
  generation: 1
  labels:
    app.kubernetes.io/part-of: dmserverstub
  name: dmserverstub-ingress
  namespace: default
  resourceVersion: "3709474"
  uid: ecb10851-7abc-4420-9cd9-5f415ab31949
spec:
  rules:
  - host: <host>
    http:
      paths:
      - backend:
          service:
            name: dmserverstub
            port:
              number: 443
        path: /dmserverstub(/|$)(.*)
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - <host>
status:
  loadBalancer:
    ingress:
    - ip: 10.0.0.214

CodeGlitcher avatar Aug 08 '22 06:08 CodeGlitcher

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 06 '22 07:11 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 06 '22 08:12 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Jan 05 '23 09:01 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 05 '23 09:01 k8s-ci-robot