Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make dynamic SSL mode default #3808

Merged
merged 1 commit into from
Mar 18, 2019
Merged

make dynamic SSL mode default #3808

merged 1 commit into from
Mar 18, 2019

Conversation

ElvinEfendi
Copy link
Member

@ElvinEfendi ElvinEfendi commented Feb 25, 2019

What this PR does / why we need it:
Dynamic cert mode feature was introduced in 0.19.0 and since then it has been used in production and also we have fixed few bugs since the initial implementation.

This PR makes dynamic cert mode default. Currently the main missing feature of dynamic SSL mode is lack of OCSP support. Once that's implemented we can drop non dynamic SSL mode completely.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 25, 2019
@k8s-ci-robot k8s-ci-robot requested review from aledbf and bowei February 25, 2019 04:23
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 25, 2019
@ElvinEfendi ElvinEfendi changed the title [wip] deprecated enable-dynamic-cert and make it default deprecated enable-dynamic-cert and make it default Feb 25, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 25, 2019
@@ -14,7 +14,7 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
| `--default-server-port int` | When `default-backend-service` is not specified or specified service does not have any endpoint, a local endpoint with this port will be used to serve 404 page from inside Nginx. |
| `--default-ssl-certificate string` | Secret containing a SSL certificate to be used by the default HTTPS server (catch-all). Takes the form "namespace/name". |
| `--election-id string` | Election id to use for Ingress status updates. (default "ingress-controller-leader") |
| `--enable-dynamic-certificates` | Dynamically serves certificates instead of reloading NGINX when certificates are created, updated, or deleted. Currently does not support OCSP stapling, so --enable-ssl-chain-completion must be turned off. Assuming the certificate is generated with a 2048 bit RSA key/cert pair, this feature can store roughly 5000 certificates. This is an experiemental feature that currently is not ready for production use. Feature backed by OpenResty Lua libraries. (disabled by default) |
| `--enable-dynamic-certificates` | Dynamically serves certificates instead of reloading NGINX when certificates are created, updated, or deleted. Currently does not support OCSP stapling, so --enable-ssl-chain-completion must be turned off. Assuming the certificate is generated with a 2048 bit RSA key/cert pair, this feature can store roughly 5000 certificates. This is an experiemental feature that currently is not ready for production use. Feature backed by OpenResty Lua libraries. (enabled by default) |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe remove "This is an experiemental feature that currently is not ready for production use." That would scare me considering we're making this the default.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops good catch!

@aledbf
Copy link
Member

aledbf commented Feb 25, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 25, 2019
@aledbf
Copy link
Member

aledbf commented Feb 26, 2019

@ElvinEfendi you need to change the e2e tests that check for the ssl real certificate name instead of the fake one

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 26, 2019
@ElvinEfendi
Copy link
Member Author

okay, so I think client authentication and dynamic cert mode does not play nice together, a.k.a there's a bug in dynamic cert implementation, otherwise there's no fundamental issue why they can not be both enabled: when in dynamic cert mode,

// If 'ca.crt' is also present, it will allow this secret to be used in the
never gets executed.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 8, 2019
@ElvinEfendi
Copy link
Member Author

Recent changes should be enough functionality wise, but the package needs some love. I'll extract the actual bug fix into another PR and hopefully refactor the code a bit.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Mar 11, 2019
@ElvinEfendi
Copy link
Member Author

I think we can not make dynamic SSL mode default before we implement OCSP stapling in Lua: https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ocsp.md

@aledbf
Copy link
Member

aledbf commented Mar 17, 2019

I think we can not make dynamic SSL mode default before we implement OCSP stapling in Lua:

Why? We can switch to dynamic SSL mode with a note in the release, indicating how to return to normal mode. With this, we have at least one release cycle to get feedback and fix any potential issue (I've been using dynamic mode without problems for the last three releases)

@ElvinEfendi
Copy link
Member Author

@aledbf in that case deprecating the non dynamic SSL mode does not make sense, because that'd indicate we have a concrete plan of when we are going to drop support for it. But we can not drop the support for it yet, because OCSP stapling is not supported in dynamic SSL mode.

I'm going to make dynamic SSL mode the default in this PR but skip deprecating the flag until we implement OCSP stapling in dynamic SSL mode as well.

@aledbf
Copy link
Member

aledbf commented Mar 17, 2019

I'm going to make dynamic SSL mode the default in this PR but skip deprecating the flag until we implement OCSP stapling in dynamic SSL mode as well.

I agree with that.

@ElvinEfendi ElvinEfendi changed the title deprecated enable-dynamic-cert and make it default make dynamic SSL mode default Mar 17, 2019
@ElvinEfendi
Copy link
Member Author

@aledbf this is ready for review.

@aledbf
Copy link
Member

aledbf commented Mar 18, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 18, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 080bed8 into kubernetes:master Mar 18, 2019
@qzio
Copy link

qzio commented Apr 8, 2019

This flag breaks a pretty normal setup.
see #3910

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants