Update documentation to include multiple-TLS support. #278
Conversation
k8s-ci-robot
added
cncf-cla: yes
README.md
Outdated
| For encrypted communication between the client to the load balancer, you need to specify a TLS private key and certificate to be used by the ingress controller. | ||
| For encrypted communication between the client to the load balancer, you need to specify a TLS private key and certificate to be used by the ingress controller. | ||
|
|
||
| Version 1.1 of GLBC now supports (as a beta feature) using more than one SSL certificate in a single Ingress for request termination (aka Multiple-TLS). With this change, keep in mind that the upper limit is 10. |
There was a problem hiding this comment.
"GCP's limit is 10". Could you also link to the GCP page that says that, please
README.md
Outdated
| For encrypted communication between the client to the load balancer, you need to specify a TLS private key and certificate to be used by the ingress controller. | ||
| For encrypted communication between the client to the load balancer, you need to specify a TLS private key and certificate to be used by the ingress controller. | ||
|
|
||
| Version 1.1 of GLBC now supports (as a beta feature) using more than one SSL certificate in a single Ingress for request termination (aka Multiple-TLS). With this change, keep in mind that the upper limit is 10. |
There was a problem hiding this comment.
How can a user of GKE know what version of the load balancer they are using to realise whether or not this information is relevant to them?
There was a problem hiding this comment.
README.md
Outdated
| metadata: | ||
| name: no-rules-map | ||
| spec: | ||
| tls: |
There was a problem hiding this comment.
How would you specify which certificate to use in an example with a rules map?
apiVersion: extensions/v1beta1
kind: Ingress
spec:
tls:
- secretName: svc1-certificate
- secretName: svc2-certificate
backend:
serviceName: svc1
servicePort: svc1-port
rules:
- host: svc1.example.com
http:
paths:
- path: /*
backend:
serviceName: svc1
servicePort: svc1-port
- host: svc2.example.com
http:
paths:
- path: /*
backend:
serviceName: svc2
servicePort: svc2-port
There was a problem hiding this comment.
You should depend on the hostname provided in your cert to do this. For example, if the client request indicates a hostname of svc1.example.com and your svc1-certificate is for that same hostname, then svc1-certificate will be served. I will update the PR with your example to make this clearer.
There was a problem hiding this comment.
@stevedomin Should be updated now, PTAL!
There was a problem hiding this comment.
@rramkumar1 thanks fo the updated doc. How does this work with wildcard certificate? Let's say that I'm using a EV certificate for a specific subdomain and a wildcard one for others (see example below). Is it always going to pick up the most specific certificate first?
apiVersion: extensions/v1beta1
kind: Ingress
spec:
tls:
- secretName: ev-certificate
- secretName: wildcard-certificate
backend:
serviceName: svc1
servicePort: svc1-port
rules:
- host: ev-domain.example.com
http:
paths:
- path: /*
backend:
serviceName: svc1
servicePort: svc1-port
- host: sub.example.com
http:
paths:
- path: /*
backend:
serviceName: svc2
servicePort: svc2-port
There was a problem hiding this comment.
This is straight from the GCP docs https://cloud.google.com/compute/docs/load-balancing/http/ssl-certificates:
"When the load balancer selects a certificate, it always prefers to match a hostname to certificates without wildcards over certificates with wildcards"
There was a problem hiding this comment.
Looks great, got it working in my project. Thanks again!
There was a problem hiding this comment.
In my project I've also specified the tls[].hosts[] parameter for my certificates, but it doesn't look like that has any effect with this Ingress Controller. Would that assumption be right?
Something like this:
spec:
tls:
- hosts:
- 'ev-domain.example.com'
secretName: ev-certificate
- hosts:
- '*.example.com'
secretName: wildcard-certificateThere was a problem hiding this comment.
Correct, this controller ignores the hosts parameter.
There was a problem hiding this comment.
Perfect, thank you. Running this in production now, so it's working as documented here ✨
There was a problem hiding this comment.
I'll update the documentation to include this point in a separate PR.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
/assign @nicksardo