-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingress does not support several TLS certificates #37518
Comments
Cloudproviders don't really support muxing multiple certs onto a single lb, so your current options are:
In theory a backend can parse the hostnames out of the list of certs and use the right one with the right We don't put the cert in with the HTTP rules because encryption is handled at Layer 5. So:
Non-http ingress is being discussed here: #23291 |
@bprashanth There's an example on how to use multiple TLS certificates here that @aledbf wrote. It actually lets you create the Ingress but it does not work as it uses the first certificate (on GKE anyways) only as you mention in 3. When you describe the Ingress you actually see:
So I guess this is a GKE issue? |
What controller are you running? If you're runnign the nginx controller, it has nothing to do with gke or gce, it functions the same everywhere. If you're running the gce ingress controller, gce doesn't accept multiple certs. By default you get the gce controller on gce, if you want to deploy the nginx controller instead, you need to do: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx#running-on-cloudproviders, eg https://github.com/kubernetes/contrib/blob/master/ingress/controllers/gce/BETA_LIMITATIONS.md#disabling-glbc |
To clarify, we don't validate against a single cert, because it's 100% valid to use a list of certs and look them up in the backend. If you're interested in submitting a patch to the nginx backend, i'm sure @aledbf would be more than happy to guide you (assuming the nginx controller doesn't already handle this). You just need to read out the hostname from the provided certs and write the appropriate rules, eg const (
keyFile = "/tmp/nginx.key"
certFile = "/tmp/nginx.crt"
hostname = "nginxsvc"
)
func main() {
cmd := fmt.Sprintf("openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout %v -out %v -subj \"/CN=%v/O=%v\"",
keyFile, certFile, hostname)
exec.Command("sh", "-c", cmd).Run()
defer func() {
exec.Command("rm", "-f", certFile, keyFile).Run()
}()
rawCert, _ := ioutil.ReadFile(certFile)
cert, _ := pem.Decode(rawCert)
x509Cert, _ := x509.ParseCertificate(cert.Bytes)
if err := x509Cert.VerifyHostname(hostname); err != nil {
log.Fatal(err)
}
log.Printf("successfully verified hostname %v in cert %v", x509Cert.Subject.CommonName, certFile)
} The "write the appropriate rules" part won't work when using a cloudprovider lb (eg: GCLB, ELB) but you can still use something like nginx on a cloudprovider. |
@bprashanth I am lost now - which of these options are supported on GKE? :) |
If you're running the nginx controller on GKE, you can do all of them |
@Ged15 There are no sig labels on this issue. Please add a sig label by: |
/sig network |
Is this still an issue? |
Sorry for the lack of responsiveness. I've not worked with GKE and K8s Ingress integration with Google load balancer for a while so do not know whether this is still an issue. Will close. |
This is still a issue. |
@Ged15 This is still an issue. |
@Ged15 can you reopen this ticket? This is still an issue |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
Is this something that might get supported eventually? It would be a big plus to be able to put all your services, hosted on different domains using multiple certificates, behind a single Google Cloud Load Balancer using an Ingress. Currently I can work around the issue by managing the additional certs manually, as it looks like the GCLB does support multiple certs and SNI. For now I will probably move towards using a SAN cert for most of the domains to avoid managing them manually, but that's not possible for all of them in my case unfortunately.
|
/remove-lifecycle stale |
Is there a technical reason this is not supported on GCE? P.S. Issue for the gce ingress is here: kubernetes/ingress-gce#46 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@ianatha GCE ingress added multiple cert support in 1.1.0, that will be shipped in kubernetes 1.11. |
Multiple TLS certs are now working for me as of k8s ver. 1.10.2-gke.1 in GCP! It works by adding multiple hosts in the tls section like in my previous example. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
As stated above, ingress-gce does support multiple TLS certs now. /close |
This is now documented in the following section, prefaced by "Specifying multiple secrets...": |
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.): no.
What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.):
ingress
tls
.Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST
Kubernetes version (use
kubectl version
): 1.4Environment:
uname -a
):What happened: Currently Ingress resources can only have one TLS certificate configured:
What you expected to happen: Would it make sense to have a TLS certificate per route rule. Something like this:
I am not aware of the design decisions behind the current implementation so this might not make sense at all.
The reason I propose this is because I see Ingress'es as public IP addresses. You might want to have several public IPs pointing to your cluster but also only one IP and then have several hosts point to that IP.
Initially submitted at kubernetes-retired/contrib#2058, but per request of @aledbf, submitting here.
The text was updated successfully, but these errors were encountered: