Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IngressTLS is specified even before Certificate reports Ready. #6870

Closed
mattmoor opened this issue Feb 17, 2020 · 2 comments · Fixed by #6880
Closed

IngressTLS is specified even before Certificate reports Ready. #6870

mattmoor opened this issue Feb 17, 2020 · 2 comments · Fixed by #6880
Assignees
@mattmoor
Labels
area/networking kind/bug Categorizes issue or PR as related to a bug.

Comments

@mattmoor
Copy link
Member

/area networking

What version of Knative?

HEAD

Expected Behavior

KIngress doesn't specify tls section until the secret is created.

Actual Behavior

With auto-TLS enabled, the KIngress adds the tls: block as soon as the Certificate is created, which may be before the Secret is actually created. For HTTP01 challenges, this assumes that the KIngress implementation will serve HTTP when the secret for HTTPS doesn't yet exist.

/assign @ZhiminXiang
@mattmoor mattmoor added the kind/bug Categorizes issue or PR as related to a bug. label Feb 17, 2020
@mattmoor
Copy link
Member Author

This may simply entail moving

serving/pkg/reconciler/route/route.go

Line 326 in ce240ab

tls = append(tls, resources.MakeIngressTLS(cert, dnsNames.List()))
up inside the if block.

@mattmoor
Copy link
Member Author

/assign
I have code that moves this and fixes up unit testing.

mattmoor added a commit to mattmoor/serving that referenced this issue Feb 17, 2020
@mattmoor
Don't specify IngressTLS prematurely.
78df55d 
This elides the IngressTLS block until the Certificate has reported Ready because the secret may not exist.

Fixes: knative#6870
@mattmoor mattmoor mentioned this issue Feb 17, 2020
Merged
knative-prow-robot pushed a commit that referenced this issue Feb 18, 2020
@mattmoor
Don't specify IngressTLS prematurely. (#6880)
090d009 
This elides the IngressTLS block until the Certificate has reported Ready because the secret may not exist.

Fixes: #6870
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mattmoor mattmoor

Labels
area/networking kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't specify IngressTLS prematurely. mattmoor/serving
3 participants
@mattmoor @ZhiminXiang @knative-prow-robot