New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Server-only authentication of backends and per-location SSL config #4689
Conversation
…server but with own unique Ingress definitions can have different SSL configs
Welcome @janosi! |
Hi @janosi. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
Codecov Report
@@ Coverage Diff @@
## master #4689 +/- ##
==========================================
- Coverage 58.62% 58.59% -0.03%
==========================================
Files 88 88
Lines 6743 7057 +314
==========================================
+ Hits 3953 4135 +182
- Misses 2353 2443 +90
- Partials 437 479 +42
Continue to review full report at Codecov.
|
/retest |
/assign @bowei |
@@ -491,17 +491,6 @@ func (n *NGINXController) getBackendServers(ingresses []*ingress.Ingress) ([]*in | |||
server.Hostname, ingKey) | |||
} | |||
|
|||
if server.ProxySSL.CAFileName == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you removing this?
Without it, you can overwrite the server certificate, if the annotation is used in two different Ingress rules for the same hostname.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly that is the purpose here. The intent is to move the proxy-ssl rules to location level instead of the current server level. So users can then define certificates on location (backend/service) level. I.e. the different locations under the same server can have different certificates. This is an ingress usage pattern in our cloud.
@@ -104,17 +104,19 @@ func (s *k8sStore) getPemCertificate(secretName string) (*ingress.SSLCert, error | |||
return nil, fmt.Errorf("unexpected error creating SSL Cert: %v", err) | |||
} | |||
|
|||
path, err := ssl.StoreSSLCertOnDisk(nsSecName, sslCert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are you doing this?
Only CA certificates should be stored on disk. Everything else is handled by Lua, dynamically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When I used the original version and I defined proxy-ssl-secret in my Ingress the result was a config file in which all of these: proxy_ssl_trusted_cert, proxy_ssl_certificate, proxy_ssl_certificate_key pointed to the same file on disk. It was my experience with the original version. I.e. it wanted to have the tls.crt and tls.key from a file on a disk originally.
If I understand the original code well it does the following: puts the client cert and key into sslCert, then if server CA is present then it first stores the sslCert (i.e. client key and cert) on disk first, then it appends the server CA to the file.
In order to preserve this function I kept the writing the client key and cert to disk in my code. I tested it, it works. Both when there is only ca.crt in the proxy-ssl-secret, and also when there are additional tls.key and tls.crt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aledbf I would like to ask, could you please help me in finding that lua script that is supposed to manage the client key and cert? I would like to see the whole picture (even though my experience with the original version showed that the controller configured nginx to take those from the CAFile from disk) Thank you!
@aledbf Is there anything I can do for this PR? |
Don't break the current behavior. I understand your goal here but this change will break existing ingresses after an upgrade. |
@aledbf |
@aledbf I restored the functionality that puts the proxy_ssl parameters on server level. I.e. the old functionality is restored. Beside that the new logic puts the proxy_ssl parameters to location level, too. |
…mments received. Also writing tls.crt and tls.key to disk is according to the original code.
@aledbf Could you please check and comment? Thank you! |
@aledbf @ElvinEfendi Could any of you please check this? Thank you! |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aledbf, janosi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@aledbf Thank you! |
For those who find themselves here, this PR does make it possible to use a secret containing only a CA certificate bundle, as referenced by the apiVersion: v1
kind: Secret
metadata:
name: proxy-ssl-secret
data:
ca.crt: (base64-encoded PEM file)
type: Opaque The set of annotations that worked for me to use an HTTPS backend: apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
"nginx.ingress.kubernetes.io/backend-protocol": "HTTPS"
"nginx.ingress.kubernetes.io/proxy-ssl-secret": "ingress-nginx/ingress-nginx-proxy-ssl-secret"
"nginx.ingress.kubernetes.io/proxy-ssl-verify": "on"
"nginx.ingress.kubernetes.io/proxy-ssl-server-name": "on"
"nginx.ingress.kubernetes.io/proxy-ssl-name": "backend.example"
"nginx.ingress.kubernetes.io/upstream-vhost": "backend.example"
|
What this PR does / why we need it:
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #4688 #4503Special notes for your reviewer: