Where is DefaultSSLCertificate used?

[rikatz]

I'm configuring a new NGINX Ingress Controller here, and have the following startup command:

./nginx-ingress-controller --update-status=false --apiserver-host=https://10.200.83.12 --configmap=sistema/nginx-load-balancer-conf --default-ssl-certificate=sistema/tlspadrao --default-backend-service=sistema/default-backend --kubeconfig=/etc/kubernetes/kubeconfig.yaml

The ingress controller is able to configure the default ssl certificate (as the following):

ls -l /ingress-controller/ssl/sistema-tlspadrao.pem 
-rw-------. 1 root root 5420 Jan 23 16:35 /ingress-controller/ssl/sistema-tlspadrao.pem

But this file is not referenced anywhere on nginx configuration. Even on the default virtualhost (server_name _) there is no config of this default TLS certificate.

Also, I though this was necessary for vhosts that specify a 'tls' entry but no secret (as the following, using the default TLS certificate to this vhost):

user@homer:~/kubernetes/ingress/ssl$ kubectl get ingress teste --namespace=katz1 -o yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/limit-connections: "2"
    ingress.kubernetes.io/ssl-redirect: "true"
    ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,127.0.0.1/32
  creationTimestamp: 2017-01-03T12:37:34Z
  generation: 5
  name: teste
  namespace: katz1
  resourceVersion: "16320214"
  selfLink: /apis/extensions/v1beta1/namespaces/katz1/ingresses/teste
  uid: 66c40a07-d1b1-11e6-8a4c-00505683ef23
spec:
  rules:
  - host: teste.vhost.com
    http:
      paths:
      - backend:
          serviceName: nginx
          servicePort: 80
        path: /
  tls:
  - hosts:
    - teste.vhost.com

So, what am I missing? Trying to see where in the code I can change this also :)

Thanks

[aledbf]

@rikatz please check the generated nginx.conf file searching the default server. The file you see in the ssl certificate is the default certificate to use

[rikatz]

It's not there, so it's falling back to the first ssl enabled vhost (not the default one). Ingress controller is not enabling the default cert in the default host Ricardo P. Katz

…

Em 23 de jan de 2017, às 18:01, Manuel Alejandro de Brito Fontes ***@***.***> escreveu: @rikatz please check the generated nginx.conf file searching the default server. The file you see in the ssl certificate is the default certificate to use — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[rikatz]

@aledbf This is the part of nginx.conf file that should have a '442' listen port:

    server {
        server_name _;
        listen [::]:80 ipv6only=off default_server reuseport backlog=511;
        vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;

I don't know if the used schema inside NGINX (listening as a stream on 443 port, and then directing it to a vhost) allows us to have a Default SSL Vhost.

[rikatz]

@aledbf here: https://github.com/kubernetes/ingress/blob/master/core/pkg/ingress/controller/controller.go#L821

I think there's something missing.

I'm trying to do as follow:

        defaultCertificate, exists := ic.sslCertTracker.Get(ic.cfg.DefaultSSLCertificate)
        if exists {
                cert := defaultCertificate.(*ingress.SSLCert)
                servers[defServerName].SSLCertificate = cert.PemFileName
                servers[defServerName].SSLPemChecksum = cert.PemSHA
        } else {
                glog.Warningf("Default SSL Certificate %v does not exists", ic.cfg.DefaultSSLCertificate)
        }

I'm not being able to read the secret correctly (don't know why, but will keep trying), but I think this solves part of the problem, as Default Server is going to have a certificate for itself.

The post step is to change also the template, but I'm not being able, by now, to read the Default SSL Certificate and transform it into something usable by the Default Server.

[rikatz]

Solved in #179