-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pre-shared-cert ordering (documentation/implementation mismatch) #1309
Comments
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Rotten issues close after 30d of inactivity. Send feedback to sig-contributor-experience at kubernetes/community. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen I can confirm that this is still the case. It gets alphabetically reordered. No matter what order you submit it in. As such my controller was continuously fighting with the controller that kept reordering it. The documentation that describes that the order matters is correct, the first certificate on the list does get shown as primary certificate if there is no SNI match. Due to this bug the only way we can currently control which certificate gets shown is if we need to use self managed certificates where we can choose what the name is of the certificate and via that we can ensure that it's alphabetically either before or after the google managed certificates. For example: We use a single google managed certificate with a random generated name by google: mcrt-780449c3-edc2-4989 With multiple subject alternative names: app.abc.org Now we want to add app3.abc.org, but that domain is live in our old datacenter. To migrate it to GCP we'll add a wildcard certificate named: wildcard-abc-org to our ingress with as domain name: *.abc.org. So that we have a 0 downtime migration while the new google managed certificate gets created in the background. We add it to our ingress as: Expected behavior: Users that connect to app3.abc.org have no SNI match, thus get shown the primary certificate (first in the list) Actual behavior: Under the surface the pre-shared-cert annotation gets alphabetically rewritten to: ingress.gcp.kubernetes.io/pre-shared-cert: mcrt-780449c3-edc2-4989, wildcard-abc-org Users that connect to app3.abc.org have no SNI match, thus get shown the primary certificate (first in the list). Which is a invalid certificate because it only matches for app.abc.org and app2.abc.org. Which leads to certificate errors. The only way for us to mitigate this is:
We'll be going with option 2 for now. But ideally this gets fixed so that it does not get reordered and so the user can actually control which certificate gets shown first. |
@rsevat: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@hermanbanken: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
reopening for @rsevat |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/lifecycle frozen To keep the issue alive |
The Ingress Controller does not write to this annotation. This is actually a consequence of using the Managed Certificates controller which writes to the annotation to add the Google Managed Cert: https://github.com/GoogleCloudPlatform/gke-managed-certs/blob/master/pkg/controller/sync/sync.go#L152-L162. The managed cert controller has to add the managed cert to the pre-shared-cert annotation for the Ingress controller to add it the SSL cert. When adding the cert, the managed cert controller always sorts the certs. |
The annotation
pre-shared-cert
as documented on [1] is supposed to be ordered:However, this is not the case. If I apply the YAML [2], then the annotation is rewritten by the controller. The last-applied annotation correctly reflects the order
cert-2, cert-1
, but the annotation becomescert-1,cert-2
.This is troublesome, because some client might not support SNI. The order of the certificates in GCP Load Balancers is therefore (critically) important. We switched from Kubernetes-managed certificates to
pre-shared-certs
to more easily have the same certificates shared by multiple clusters each in their own LB. We would be able to have our Security officer deliver us a new certificate name, which we could apply to all clusters automatically using Kustomize & Flux (GitOps). However, that is impacted by this reordering bug. As a workaround, we'll need to name the primary certificate with a lexicographically-first name.1 = https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl#which_certificate_is_presented is
2 = Ingress resource
The text was updated successfully, but these errors were encountered: