-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support wildcard default cert by making TLS secretName not required like k8ix #426
Comments
@rayfoss A single wildcard certificate that could be applied to all Ingress resources is a valid use case. But for that I think it is better to have a separate command line argument that takes secret like |
A workaround is available with mergeable Ingress resources -- https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/mergeable-ingress-types In this case it is possible to define master Ingress resources with TLS termination in one namespace, where all master will reference a particular wildcard secret, and then define minion Ingress resources with the same hostnames in other namespaces. |
@pleshakov I heavily rely on websockets... masters don't work with them. My current work around is to manually script the copying of the certificate to all the needed namespaces, I realise this is not as secure and it's tedious. |
Other than adding a new argument that reuses default-server-tls-secret code, making that the default secret and then updating the schema to make it not required. Are there any other considerations? I'm considering putting together an PR, this would greatly simplify devops on my end... I hate k8s devops with a passion |
Yep. So the websocket annotation must be used in minions.
Right now the default server secret is required for running the IC. We have been considering removing the default server secret requirement after we changed how we treated Ingress resources without secrets -- #399 (this change will appear in the next 1.4.0 release). Considering the default secret case, it might be a good idea to just change the existing default server secret feature into the default secret feature. However, further thinking about this idea is required to make sure all the cases are considered. Let me think about it and I will update this issue. |
Below is a proposal about the default (wildcard) secret:
@rayfoss Implementing this proposal is an involved task and we'd like to take responsibility for it. This week we're releasing Release 1.4.0 and this proposal is a feature candidate for 1.5.0 |
Sounds good... Thanks for getting into the edge cases. I know tls is technically more correct to use |
Here is an updated course of action for #426 (comment) - instead of removing ETA for this feature - end of January |
for the time being, a better workaround is described here -- #466 (comment) |
hello @pleshakov , I just wanted to follow up on this feature - do you have an updated ETA? |
Hi @ameijer-corsha the feature is almost ready and will be merged by the end of next week. Please note that this means you will be able to use it in the More info about releases https://github.com/nginxinc/kubernetes-ingress/#nginx-ingress-controller-releases |
@ameijer-corsha This is merged in master already (edge version of the IC). Have a look at the |
The
|
I also can't wait for this to hit stable! Is there any ETA for when the next stable release will be published? |
Our plan is to release 1.5 in the second half of May. Apart from this wildcard cert feature, there are a lot of other new features for 1.5 and we need to be sure everything works for the release. Stay tuned! |
Describe the bug
Specifying a host but not a secret will cause your ingress to be rejected
ejected: Error retrieving secret for Ingress production-custom-deploy: resource name may not be empty
and the https version to output a 404 error.This is counter to the best wildcard certificate solution in
kubernetes/ingress-nginx
. Which lets you configure TLS, but leave out the certificate, instead defaulting to your default certificate. In our cases, a wildcard certificate.kubernetes/ingress-nginx#2170 (comment)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The default certificate defined in the controller should be used and the rest of the ingress config obayed. This is not easy to workaround as ingress' are often namespaced and wildcard certificates are usually out of reach
Your environment
The text was updated successfully, but these errors were encountered: