ingress-nginx: proxy-ssl-server-name not applied if proxy-ssl-secret is not valid
NGINX Ingress controller version: v0.41.2
Kubernetes version (use kubectl version): v1.19.3
Environment: Docker-Desktop MacOS
- Cloud provider or hardware configuration: MacBook Pro Late 2016
- OS (e.g. from /etc/os-release): macOS 10.15.7 / Docker Desktop 3.0.4
- Kernel (e.g.
uname -a): ? - Install tools: ?
- Others:
What happened:
I need to add an ingress for an application running in Caddy v2, and got it working by using proxy_ssl_server_name and proxy_ssl_name directives of Nginx. It worked well when I applied those through the configuration-snippet annotation.
However, these directives weren’t applied when using proxy-ssl-name and proxy-ssl-server-name annotations, until I also put a valid proxy-ssl-secret annotation (i.e. secret exists, and is valid TLS cert).
What you expected to happen:
I expected proxy-ssl-name and proxy-ssl-server-name annotations to be applied without the need of proxy-ssl-secret.
How to reproduce it:
Set up ingress with proxy-ssl-name and proxy-ssl-server-name annotations:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/proxy-ssl-secret: atlas/base-certificate-tls
nginx.ingress.kubernetes.io/proxy-ssl-server-name: "on"
nginx.ingress.kubernetes.io/proxy-ssl-name: "mercure.local"
name: env-mercure
namespace: atlas
spec:
rules:
- host: mercure.local
http:
paths:
- backend:
serviceName: env-mercure
servicePort: 443
path: /
You can verify proxy-ssl-* annotations effects with kubectl -n ingress-nginx exec -ti <ingress-nginx-controller pod name> -- cat /etc/nginx/nginx.conf | grep proxy_ssl_.
With the proxy-ssl-secret annotation, the proxy_ssl_ directives are present. Without the annotations, the directives are missing.
Anything else we need to know:
Looking at the debug logs at level 7 (with --v=7 in ingress-nginx args), I could see the parsed object for ProxySSL part.
With proxy-ssl-secret annotation:
I0107 09:22:55.344305 8 annotations.go:178] "Parsing Ingress annotation" name="ProxySSL" ingress="atlas/env-mercure" value=&{AuthSSLCert:{Secret:atlas/base-certificate-tls CAFileName: CASHA: CRLFileName: CRLSHA: PemFileName:} Ciphers:DEFAULT Protocols:TLSv1 TLSv1.1 TLSv1.2 ProxySSLName:mercure.local Verify:off VerifyDepth:1 ProxySSLServerName:on}
Without proxy-ssl-secret annotation:
I0107 09:56:40.879259 8 annotations.go:178] "Parsing Ingress annotation" name="ProxySSL" ingress="atlas/env-mercure" value=&{AuthSSLCert:{Secret: CAFileName: CASHA: CRLFileName: CRLSHA: PemFileName:} Ciphers: Protocols: ProxySSLName: Verify: VerifyDepth:0 ProxySSLServerName:}
There’s no errors in the logs but you can notice the default values are not filled in (default value for VerifyDepth is 1).
Is it the expected behavior to restrict proxy-ssl annotations only when the secret is set ?
Thanks !
/kind bug
About this issue
- Original URL
- State: open
- Created 3 years ago
- Reactions: 20
- Comments: 30 (7 by maintainers)
stale as bread
@Gacko @cpanato @strongjz, any chance we can get a resolution to this long-standing issue?
I think we can simply modify the behavior of the
nginx.ingress.kubernetes.io/proxy-ssl-server-nameandnginx.ingress.kubernetes.io/proxy-ssl-nameannotations so that they don’t requirenginx.ingress.kubernetes.io/proxy-ssl-secretto be set.Nginx allows setting
proxy_ssl_nameandproxy_ssl_server_name, even ifproxy_ssl_certificateandproxy_ssl_certificate_keyare not set, so there is no reason for us to enforce this requirement here.It’s been a while so I thought I’d report that I’m still experiencing this issue today in controller v1.7.0.
I see @rittneje’s PR (https://github.com/kubernetes/ingress-nginx/pull/7084) was never merged (he last comment said he couldn’t complete it himself).