-
Notifications
You must be signed in to change notification settings - Fork 39.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to control SSL chain completion #63845
Conversation
/assign @marcoceppi |
/ok-to-test |
Thanks for the contribution! This change seems straight forward, my only concern is kubernetes/ingress-nginx#1977 which points that this might not work in 0.10.1 (though |
controller. Set this to true if you would like the ingress controller | ||
to attempt auto-retrieval of intermediate certificates. The default | ||
(false) is recommended for all production kubernetes installations, and | ||
any environment which does not have outbound Internet access. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm gonna need some context for the default: false
here. The nginx-ingress-controller docs say this defaults to true
. What's our justification for deviating from that? Who is recommending false for all production Kubernetes installations?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Cynerva auto-retrieval of intermediate certificates is a fragile process. It can fail for many reasons, for example firewalls blocking traffic or CA website outages. In a secure production environment it requires egress firewall access rules and they might stop working if CAs move IPs.
At the same time we saw nginx-ingress controller pods crash when chain completion fails.
Because of that the Canonical IS decided that disabling completion is the safest setting for production environments. We may end up with incomplete chain but we prefer that to possible outage.
If however you think that charms should have same default as upstream it would still work for us. What we need is a way to disable this functionality. Making it disabled by default is, in our opinion, the best but we would be happy with "true" being default, we can always just set it to "true" in our environments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jacekn. I'm content to ship default: false
- you guys know production concerns better than I do. I just wanted to make sure the decision was made deliberately and with careful thought, which it sounds like it was. 👍
/assign @Cynerva |
This looks good. I'm just gonna test real quick to make sure it doesn't break on 0.9.0 (thanks @marcoceppi for bringing this up) |
Dang. It does break with the default version we ship (0.9.0-beta.15):
We will need to catch up before this can be merged. It looks like the first version that includes --enable-ssl-chain-completion is |
FYI, we have a pull request open to bump the default nginx-ingress-controller version to 0.15.0: #64285 It is currently blocked by code freeze, which should end roughly around Jun 19. Once that lands, we'll follow up on this PR. |
This is unblocked - code freeze is over, and the default nginx-ingress-controller version has been bumped to 0.15.0. I'm doing a quick test now. |
/lgtm This looks good now on top of the latest charm code. A bot should merge it within the next couple of days once it gets through the submit queue. Thanks for your patience 👍 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Cynerva, paulgear The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Automatic merge from submit-queue (batch tested with PRs 65301, 65291, 65307, 63845, 65313). If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
This adds templated support to the kubernetes-worker juju charm for the --enable-ssl-chain-completion option on the ingress proxy. It defaults to false, to ensure that production sites are not reliant on OCSP or DNS in order to function.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: