Comments (9)
rmzg
commented on May 29, 2024
1
I feel like I'm taking crazy pills. I've tried all sorts of variations, ending up with this:
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: foo-ingress
spec:
tls:
- hosts:
- foo.domain
secretName: foo-tls
rules:
- host: foo.domain
http:
paths:
- path: /
backend:
serviceName: foo-service
servicePort: 80
But when I curl foo.domain:443, all I get is: default backend - 404
I'm not trying to be too annoying here, but could someone please point me to the line of code in the repo that even looks for the secretName key inside the spec and tries to read it? Because I can't find that code.
from kubernetes-ingress.
bedis
commented on May 29, 2024
Hi,
Yes it does. Did you get any issue?
from kubernetes-ingress.
rmzg
commented on May 29, 2024
(Using the default service file from github)
The logs for the pod say:
2019/07/13 21:18:08 main.go:84: Default ssl certificate: default/tls-secret
If I have a secret with that name, it will return it as the ssl cert, if I delete it, it won't respond to https, however, what I want to be able to do is specify a different secretName inside the actual ingress config as my original example shows. When I configure my ingress this way, it still doesn't support https via my valid certificate.
Also, when I grepped the source code in this repository, I found no location that would match a secretName as part of an Ingress config.
from kubernetes-ingress.
eljefedelrodeodeljefe
commented on May 29, 2024
It uses extensions/v1beta1 afaict. Worked for me then.
from kubernetes-ingress.
rmzg
commented on May 29, 2024
Also, on a slightly unrelated note, during my attempts to test the above stuff, I caused my cert-manager ClusterIssuer to re-issue a tls cert stored in a new secret name, which worked fine, except for the part where cert-manager created a temporary fake ca cert while waiting for the real one to exist and when I tested my https ingress haproxy promptly loaded the fake one.. and then cached it forever. Nothing I tried worked to get the real cert to show up until I deleted the haproxy-controller pod at which point it promptly started serving me the real cert instead of the fake one.
Correct me if I'm wrong, but literally only deleting the haproxy pod should never cause it to return a different cert, right?
I don't think this particular issue is all that related to the secretName part, but it was very frustrating and I wanted to tell someone.
from kubernetes-ingress.
martin-helmich
commented on May 29, 2024
I'm having the same issue. I've tried setting a per-ingress certificate both using the .spec.tls[].secretName and the .metadata.annotations["haproxy.org/ssl-certificate"] properties -- both to no avail. HAProxy still only serves the default TLS certificate.
Within the container, there's only /etc/haproxy/certs/cert.pem, which contains the default certificate supplied via --default-ssl-certificate.
To me, it looks like the Ingress Controller does not respect any certificates other than its default cert AT ALL -- which I simply cannot believe to be by design.
Here's the ingress resource (redacted in parts):
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
# set out of mere desperation:
haproxy.org/ssl-certificate: REDACTED/production-app-tls-acme
kubernetes.io/ingress.class: haproxy
kubernetes.io/tls-acme: "true"
name: production-app
namespace: REDACTED
spec:
rules:
- host: HOSTNAME_A
http:
paths:
- backend:
serviceName: production-app
servicePort: 80
path: /
- host: HOSTNAME_B
http:
paths:
- backend:
serviceName: production-app
servicePort: 80
path: /
tls:
- hosts:
- HOSTNAME_A
- HOSTNAME_B
secretName: production-app-tls-acme
status:
loadBalancer:
ingress:
- hostname: XXX.eu-central-1.elb.amazonaws.com
from kubernetes-ingress.
oktalz
commented on May 29, 2024
Hi @rmzg, @martin-helmich
you can expect fix for this in next few days.
I'll notify you when this will be ready
from kubernetes-ingress.
oktalz
commented on May 29, 2024
new version v1.2.0 is released that fixes the behavior.
please note that if you define secret in ingress object,
you do not need to define default certificate in order to use https
from kubernetes-ingress.
oktalz
commented on May 29, 2024
format that controller expects is something like this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: app
namespace: default
annotations:
ingress.class: haproxy
spec:
tls:
- hosts:
- foo.bar
secretName: default/tls-secret
rules:
- host: foo.bar
http:
paths:
......
regarding secret format, it is same as for default secret
https://github.com/haproxytech/kubernetes-ingress/tree/master/documentation#tls-secret
from kubernetes-ingress.
Related Issues (20)
- Not able to add `send-proxy` option to a TCP service HOT 2
- In TCP service sometime we get client_ip as an internal ip how can we get an external ip in tcp log HOT 5
- default-local-service_http error setting check: true on cr-backend HOT 5
- Default certificate does not exist HOT 6
- Configure accept-proxy HOT 4
- ingress with wildcard and ssl-passthrough take always precedence over https subdomain HOT 6
- Inconsitent balancing HOT 11
- --ipv6-bind-address causes 'bind' missing port specification in HOT 3
- Latest versions of each HAProxy release are not available in ingress HOT 3
- binding to privileged port fail HOT 1
- feature request: geoip HOT 1
- "request-redirect" annotation always redirects to http HOT 2
- [Stats Question] Possible to configure as backend instead of frontend? HOT 5
- HAProxy Cache HOT 2
- IPv6: Received something which does not look like a PROXY protocol header HOT 4
- ingress anotation timeout-server does not change haproxy config HOT 6
- certificate x509: certificate signed by unknown authority HOT 1
- cannot bind socket (Permission denied) for [0.0.0.0:80] HOT 5
- howto In https port redirect http to https? HOT 1
- Unsupported version 'v1.0.0' of gateway api is installed, please install experimental yaml version v0.5.1 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-ingress.