New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RequireServerNameIndication flag not set on multi-site listeners (hostname/TLS) #426
Comments
This small bug is a frustrating blocker for us, any comments from the team @akshaysngupta ? |
@akshaysngupta I have a customer facing the same issue. Is there a timeline on a fix? |
This was fixed in |
having this problem in v1? |
somehow sub.domain.com worked. adding a second host to domain.com ingress definition fixed it though. |
Describe the bug
We are using Application Gateway (v1) Medium WAF SKU, AKS and Ingress Controller v0.7.1 deployed via helm chart.
We recently upgraded to use the multiple watched namespaces feature each namespaced deployment using k8s ingress definition according to the docs "Expose services over HTTPS" -> "With specified hostname".
When ingress controller updates the gateway, all looks OK - multi-site host listeners configured as expected with the correct TLS certificate.
When browsing to one of the sites by hostname I am routed via the wrong listener. Looking at the resource definition, RequireServerNameIndication = false on my multi-site listener and it should be true
(I believe this is because gateway processes requests to multi-site (hostname) listeners in an order I can't determine.)
To Reproduce
Steps to reproduce the behavior:
Configure Ingress controller to watch multiple namespaces (eg. watchNamespace: ).
Deploy pods to multiple namespaces using Ingress defintions with TLS/hostname (e.g. hostname1/cert1, hostname2/cert2).
After gateway update,
Workaround
This is not a useful workaround but does point to the root cause of the issue.
After the ingress controller has updated the gateway, use Azure CLI to update all https listeners as below.
az network application-gateway http-listener update -g RG --gateway-name AGW -n fl-hostname1-443 --set RequireServerNameIndication=true --force-string
az network application-gateway http-listener update -g RG --gateway-name AGW -n fl-hostname2-443 --set RequireServerNameIndication=true --force-string
Doing so resolves the issue and gateway routes correctly by SNI. This workaround is not compatible with ingress controller as the next update to the gateway reverts the requireServerNameIndication flag to false.
Ingress Controller details
kubectl describe pod <ingress controller
> . The pod name can be obtained by runninghelm list
.The text was updated successfully, but these errors were encountered: