kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

WildcardTLS with wildcard hostname for VirtualServer

Open svvac opened this issue 4 years ago • 7 comments
trafficstars

When deploying a Virtual Server resource with the following TLS config :

yaml host: test.example.com tls: redirect: enable: true

With an ingress configured with a wildcardTLS secret valid for *.example.com does not expose the targeted service properly.

  • A request to http://test.example.com properly redirects to the TLS endpoint
  • https://test.example.com** uses the default certificate instead of the wildcard**
  • https://test.example.com** does not proxy the request to the upstream service**

Env

  • Kubernetes 1.20
  • Nginx.org ingress controller 1.9.0

Aha! Link: https://nginx.aha.io/features/IC-101

svvac avatar Apr 06 '21 15:04 svvac

Note : removing the tls: block altogether properly exposes the service on the HTTP endpoint

svvac avatar Apr 06 '21 15:04 svvac

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Jun 06 '21 02:06 github-actions[bot]

@pleshakov Do you mind explaining why this issue has been tagged proposal? It seems like a bug to me.

svvac avatar Jun 09 '21 06:06 svvac

Hi @svvac

This was tagged as a proposal because from our point of view it is an enhancement rather than a bug. This wasn't included into the initial VirtualServer implementation (to reduce the scope), rather than something that is a result of an incorrect implementation.

pleshakov avatar Jun 09 '21 17:06 pleshakov

Ok that makes sense, thanks for clarifying. So if I understand correctly, there is currently no way to use the wildcard certificate of the ingress in VirtualServers other than duplicating it?

svvac avatar Jun 10 '21 06:06 svvac

So if I understand correctly, there is currently no way to use the wildcard certificate of the ingress in VirtualServers other than duplicating it?

that is correct.

One other possible workaround approach in case you have multiple namespaces:

  • create VirtualServers in the namespace with that wildcard TLS secret
  • configure TLS termination using that Secret for those VirtualServers
  • Create VirtualServerRoutes and reference them from VirtualServers

pleshakov avatar Jun 10 '21 17:06 pleshakov

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Sep 01 '21 01:09 github-actions[bot]

Just realized that this was accidentally re-opened by an automation integration. Sorry.

brianehlert avatar Nov 23 '22 15:11 brianehlert