-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow proxy-ssl-* annotations without proxy-ssl-secret #10557
base: main
Are you sure you want to change the base?
Conversation
Skipping CI for Draft Pull Request. |
✅ Deploy Preview for kubernetes-ingress-nginx canceled.
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tamalsaha The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hello maintainers, if you can take a quick and give some feedback if the pr makes changes in the right direction, I can try getting necessary testing added. So far, if fixes the issue I was facing. |
This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach |
The This bot removes
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /remove-lifecycle frozen |
if err != nil { | ||
return &Config{}, ing_errors.NewLocationDenied(err.Error()) | ||
} | ||
} else if err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why wrap it in else if? line 194 is enough for the bug fix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to make sure that the annotation was present. My understanding is that err == ing_errors.ErrMissingAnnotations
will mean annotation is missing. So, I check for err == nil
to confirm that annotation is present and there is no parsing error.
@tamalsaha can you move this out of draft and rebase to get 1.29 tests? |
Signed-off-by: Tamal Saha <[email protected]>
cfb8d42
to
555c5eb
Compare
Done. |
Hi @strongjz , could you review this rebased version? It would be awesome to get this out and finally fix three-and-a-half year old issue #6728 :) (Pinging as I ran into the problem today, followed the issue to this PR, and with a review & merge it looks like we could get this over the line relatively straightforwardly 🙏 ) |
@tamalsaha @Pluies Another PR #11490 wants to make the proxy-ssl-secret optional, by stating that they have a backend that is capable only of TLSv1.3 and not TLSv1.2 or others and the controller does not try TLSv1.3 but terminates the connection after a failed attempt to use TLSv1.2 to their backend (that is only capable of TLSv1.3). So this other user wants to use You have not posted any description here but in the issue you linked, its is stated that you want to use My curiosity is very fundamental so hope you can help clarify this for other readers too. See question below ;
|
Hi @longwuyuan 👋 The reason we want to use these annotations is for reverse-proxying to an HTTPS backend that expects SNI as part of the TLS handshake. We used to have an ingress defined as: apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: amplitude-api-proxy
namespace: core
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/upstream-vhost: api.eu.amplitude.com
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
... This ingress sends traffic to a service type=ExternalName. This works working correctly until nginx ingress controller 4.9.x. Unfortunately, upon upgrading to nginx ingress controller release 4.10.0 which included nginx v1.25, we started getting HTTP 421 errors from upstream, complaining about SNI:
Looking around, we found a blogpost that mentions this issue and suggests using Indeed, once we updated the ingress to: apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: amplitude-api-proxy
namespace: core
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/upstream-vhost: api.eu.amplitude.com
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_ssl_server_name on;
proxy_ssl_name api.eu.amplitude.com; Then it started working again 👍 Using snippets is not best practice, so we'd rather be able to set |
@Pluies thank you for explaining. helps increase clarity. Due to lack of resources, some aspects are not getting absolutely clear here. Hence my concerns. You may have already observed (hence created this issue) or I can confirm to you as I have tested this fact. The proxy_ssl_* directives are non existing in the nginx.conf inside the controller pod, when the Even another user has the same opinion as you and has proposed #11490 to make the annotation I am not a developer so I could be completely wrong here. But all my reasoning is concluding that while we need to acknowledge the problem of not being able to set the attributes for HTTPS, from controller to a backend, the attempt to brute-force break the current set of If an expert comes in and explains the entire current sensibility and also the proposed change in the code for the existing |
Otherwise we may introducing, a new hitherto non-existing vulnerability, for the mTLS use-case, of the |
Yeah I assume all of these annotations were added with the specific idea of mTLS in mind, but they're obviously useful for other use-cases such as SNI etc, as confirmed by the multiple issues & PRs to make I think it would make sense to remove this limitation. In the current situation, we can set these annotations but they're silently ignored by the nginx-ingress-controller unless |
@Pluies thanks
Eventually a expert will comment I think. Lets wait |
What this PR does / why we need it:
Types of changes
Which issue/s this PR fixes
fixes #6728
How Has This Been Tested?
I have manually tested it using
ghcr.io/voyagermesh/ingress-nginx/controller:proxy-ssl-server-name
image.Checklist: