Skip to content

Annotations: Consume proxy-ssl-name and proxy-ssl-server-name even without proxy-ssl-secret. #6728

New issue
New issue
Open
#10557
Open
Annotations: Consume proxy-ssl-name and proxy-ssl-server-name even without proxy-ssl-secret.#6728
#10557
Assignees
Gackoelizabeth-dev
Labels
help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.
@Okhoshi

Description

@Okhoshi
Okhoshi
opened on Jan 7, 2021

NGINX Ingress controller version: v0.41.2

Kubernetes version (use kubectl version): v1.19.3

Environment: Docker-Desktop MacOS

  • Cloud provider or hardware configuration: MacBook Pro Late 2016
  • OS (e.g. from /etc/os-release): macOS 10.15.7 / Docker Desktop 3.0.4
  • Kernel (e.g. uname -a): ?
  • Install tools: ?
  • Others:

What happened:

I need to add an ingress for an application running in Caddy v2, and got it working by using proxy_ssl_server_name and proxy_ssl_name directives of Nginx. It worked well when I applied those through the configuration-snippet annotation.

However, these directives weren't applied when using proxy-ssl-name and proxy-ssl-server-name annotations, until I also put a valid proxy-ssl-secret annotation (i.e. secret exists, and is valid TLS cert).

What you expected to happen:

I expected proxy-ssl-name and proxy-ssl-server-name annotations to be applied without the need of proxy-ssl-secret.

How to reproduce it:

Set up ingress with proxy-ssl-name and proxy-ssl-server-name annotations:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/proxy-ssl-secret: atlas/base-certificate-tls
    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
    nginx.ingress.kubernetes.io/proxy-ssl-name: "mercure.local"
  name: env-mercure
  namespace: atlas
  spec:
    rules:
    - host: mercure.local
      http:
        paths:
        - backend:
            serviceName: env-mercure
            servicePort: 443
          path: /

You can verify proxy-ssl-* annotations effects with kubectl -n ingress-nginx exec -ti <ingress-nginx-controller pod name> -- cat /etc/nginx/nginx.conf | grep proxy_ssl_.
With the proxy-ssl-secret annotation, the proxy_ssl_ directives are present. Without the annotations, the directives are missing.

Anything else we need to know:

Looking at the debug logs at level 7 (with --v=7 in ingress-nginx args), I could see the parsed object for ProxySSL part.

With proxy-ssl-secret annotation:

I0107 09:22:55.344305       8 annotations.go:178] "Parsing Ingress annotation" name="ProxySSL" ingress="atlas/env-mercure" value=&{AuthSSLCert:{Secret:atlas/base-certificate-tls CAFileName: CASHA: CRLFileName: CRLSHA: PemFileName:} Ciphers:DEFAULT Protocols:TLSv1 TLSv1.1 TLSv1.2 ProxySSLName:mercure.local Verify:off VerifyDepth:1 ProxySSLServerName:on}

Without proxy-ssl-secret annotation:

I0107 09:56:40.879259       8 annotations.go:178] "Parsing Ingress annotation" name="ProxySSL" ingress="atlas/env-mercure" value=&{AuthSSLCert:{Secret: CAFileName: CASHA: CRLFileName: CRLSHA: PemFileName:} Ciphers: Protocols: ProxySSLName: Verify: VerifyDepth:0 ProxySSLServerName:}

There's no errors in the logs but you can notice the default values are not filled in (default value for VerifyDepth is 1).

Is it the expected behavior to restrict proxy-ssl annotations only when the secret is set ?

Thanks !

/kind bug

Metadata

Metadata

Assignees

Labels

help wantedDenotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions