-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingress v1 - TLS from Spec #1974
Conversation
e4bc495
to
86f4ad3
Compare
@szuecs would love to receive some initial feedback on this proposal |
a516835
to
7258fa1
Compare
The current design sets certificate to the route which creates a problem for route update when tls secret changes and also loops over all valid routes which is completely unnecessary (e.g. only a handful of routes out of thousands may require certificate); it also couples certificate lookup to the routing. The proposal does not addess explicitly the problem of multiple ingresses defining different secrets for the same host. It also reloads secrets and re-creates certificates on every ingress poll cycle (3 seconds by default) which might be ok for the initial implementation but be suboptimal performance-wise as secrets would change less often. I propose we think about a new component e.g.
It is not clear what should be the strategy to cleanup of unused certificates and if we should decouple secret/certificate update from the ingress update at this point. Also lets check how other ingress controllers implement the lookup logic. |
There is a bit of chicken-and-egg problem - server listener has to choose the certificate before routing, i.e. it does not know yet which route the request will follow and hence can not determine the ingress and its tls config that defines route. E.g. I do not see how and if it should be possible to define two ingresses that use different certificates for the same host and different paths: apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo
spec:
tls:
- hosts:
- https-example.example.com
secretName: foo-secret
rules:
- host: https-example.example.com
http:
paths:
- path: /foo
pathType: Prefix
backend:
service:
name: service1
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bar
spec:
tls:
- hosts:
- https-example.example.com
secretName: bar-secret # different cert
rules:
- host: https-example.example.com
http:
paths:
- path: /bar
pathType: Prefix
backend:
service:
name: service2
port:
number: 80 It is also not clear how certificate selection should work if one ingress defines the apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo
spec:
tls:
- hosts:
- https-example.example.com
secretName: foo-secret
rules:
- host: https-example.example.com
http:
paths:
- path: /foo
pathType: Prefix
backend:
service:
name: service1
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bar
spec:
# no tls defined for https-example.example.com
rules:
- host: https-example.example.com
http:
paths:
- path: /bar
pathType: Prefix
backend:
service:
name: service2
port:
number: 80 It looks like the out best shot would be to have a global certificate registry that does not account for ingress/routing and let listener to pick first matching certificate. This way in example 1 different certs for the same host would be an undefined behaviour and in example 2 the second ingress would use certificate configured by the first. |
e41f4a4
to
d9fb5b4
Compare
I like this idea. Terminating TLS should not care what the route is, should only care if a rule's host matches the tls host and add it to the registry.
Could it do something similar to how routing is updated? Get a list of current, updated and deleted TLS certs and send them over to the certificate registry? |
afaict the NGINX Ingress controller has a similar store component which implements an sslStore tracker. Certificates are generated and stored in this tracker to later be read. The store has the logic to manage old/stale certificates. |
@AlexanderYastrebov, implemented your suggestion of a Certificate Registry. Included the following proposals:
If this something we could get your feedback on? |
@rickhlx Hello, thank you, I'll have a look once I have some spare capacity |
Using a separate function to generate a tls cert from a kubernetes secret. Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
We do not want to maintain default certificates within the registry. Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Registry will be able to use configured certificates as fallback if no certificates are found in the registry. Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
This will make clear that enabling this option will allow skipper to read resources and secrets to allow TLS termination. Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
@rickhlx Thank you, great work! |
👍 |
I think 4 small changes and we are good to merge. Thanks for your great work @rickhlx and thanks @AlexanderYastrebov for the great review! |
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
Signed-off-by: Ricardo Herrera <rickhl@outlook.com>
👍 |
1 similar comment
👍 |
@AlexanderYastrebov @szuecs thanks for the excellent communication and feedback, was a pleasure to work on this. Learned a lot! |
Fixes #851
Fixes #1780
This will allow us to define TLS certs at the Ingress resource and dynamically respond with the correct cert based on the request.