Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

multiple TLS certs are not correctly handled by GCE (no SNI support) #46

Closed
bowei opened this issue Oct 11, 2017 · 9 comments
Closed

multiple TLS certs are not correctly handled by GCE (no SNI support) #46

bowei opened this issue Oct 11, 2017 · 9 comments
Assignees

Comments

@bowei
Copy link
Member

bowei commented Oct 11, 2017

From @ensonic on July 12, 2017 10:9

I have setup and ingress for 3 microservices under 3 subdomains, each having their own cert.
When I startup the ingree I see this in the l7-lb-controller log:
W0712 10:01:30.733403 1 tls.go:58] Ignoring 2 certs and taking the first for ingress default/tls-termination

IMHO that cannot work and indeed I get a single cert applied to all 3 subdomains and as expected e.g browsers complain about the mismatch. I would expect the Host header to be used to select the appropriate cert.

This is how the config looks like for 2 hosts, example.com is just used for illustration

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tls-termination
  annotations:
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.allow-http: "false"
spec:
  tls:
  - hosts:
    - api.example.com
    secretName: api-tls
  - hosts:
    - www.example.com
    secretName: www-tls
  rules:
  - host: api.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: api
          servicePort: 80
  - host: www.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: www
          servicePort: 80

Using a single cert covering all subdomains is maybe doable, but would not be nice, since the services should not need to know about each other.

Copied from original issue: kubernetes/ingress-nginx#952

@bowei
Copy link
Member Author

bowei commented Oct 11, 2017

From @ensonic on July 12, 2017 12:44

Erm, the docs (https://github.com/kubernetes/ingress/blob/master/controllers/gce/README.md#frontend-https) say "This controller does not support SNI, so it will ignore all but the first cert in the TLS configuration section." - are you planning to fix this?

@bowei
Copy link
Member Author

bowei commented Oct 11, 2017

From @nicksardo on July 12, 2017 15:43

GCP's HTTP(S) LB does not support SNI.
https://issuetracker.google.com/issues/35904767

@bowei
Copy link
Member Author

bowei commented Oct 11, 2017

From @ensonic on July 13, 2017 7:21

Would it make sense to mention this here: https://github.com/kubernetes/ingress/blob/master/controllers/gce/BETA_LIMITATIONS.md ?

@bowei
Copy link
Member Author

bowei commented Oct 11, 2017

From @munnerz on September 11, 2017 10:36

It looks like GCE now does in fact support SNI https://issuetracker.google.com/issues/35904767#comment47
🎉

@bowei
Copy link
Member Author

bowei commented Oct 11, 2017

From @munnerz on September 11, 2017 10:40

It looks like the code in question that'll need changing mostly resides here: https://github.com/kubernetes/ingress/blob/master/controllers/gce/loadbalancers/loadbalancers.go (search for TLS)

@bowei
Copy link
Member Author

bowei commented Oct 11, 2017

From @mhr3 on September 14, 2017 11:58

Looks like adding the extra certificate to the load balancer on GCE works fine, but k8s can't set it up properly atm.

@mikepulaski
Copy link

mikepulaski commented Dec 5, 2017

@mhr3 Do the changes persist when you add the extra certificate in GCE?

Having official support for this would be great. I have multiple certificates I'd like to use as well.

@tobsch
Copy link

tobsch commented Feb 19, 2018

+1

@nicksardo
Copy link
Contributor

This is supported in the controller version 1.1+
/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants