ingress-nginx: Unexpected behaviour of ingress rules and SSL/TLS settings when using wildcard certificates

NGINX Ingress controller version: 1.9.1

Kubernetes version (use kubectl version): 1.18.9

Environment: DEV with the wish to replace Istio on production

  • Cloud provider or hardware configuration: EKS
  • OS (e.g. from /etc/os-release): Amazon Linux 2
  • Kernel (e.g. uname -a): 4.14.203-156.332.amzn2.x86_64
  • Install tools: Terraform, Helm

What happened:

Istio is using gateways where you can define multiple hosts and hook the cert-manager up to create ONE certificate to rule all of them. What I wanted to achieve is an ingress, which creates a certificate for my domain including some subdomains with wildcards as well.

The issue I encounter is, that it seems like an ingress TLS host is forced to be qual to the rules.host section. This doesn’t make sense when working with wildcards. I’m not sure if this is on purpose or a bug, so this is either a bug report or a feature request. Here is an example.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    cert-manager.io/issue-temporary-certificate: "true"
    acme.cert-manager.io/http01-edit-in-place: "true"
spec:
  tls:
    - hosts:
        - '*.domain.com'
      secretName: test-tls
  rules:
    - host: test.domain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: nginx
              servicePort: 80

Requesting test.domain.com will result in a failed TLS handshake because the certificate which gets delivered is invalid. Confusingly it delivers the default NGINXingresscontroller certificate and I’ll receive a 404 instead of my expected nginx default landing page. If I change both hosts to either *.domain.com or test.domain.com it works just fine.

The certificate which gets created for the snippet above is valid. So I don’t understand the routing to the default backend and why it isn’t using the certificate at all.

What you expected to happen:

Wildcard certificates should be delivered if they hit an ingress rule which fits them. Therefore we have the awesome ‘*’

How to reproduce it:

I’m using Terraform and helm to install the nginx controller and cert-manager but there are many ways to do it. If you have both of them running and cert-manager configured you can reproduce this behaviour with this yaml.

Anything else we need to know:

Let me know if you need more information. I’ll share them asap.

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 22 (10 by maintainers)

Most upvoted comments

repository = “https://helm.nginx.com/stable

That’s the “problem”. You are using a different ingress controller. Please check https://kubernetes.github.io/ingress-nginx/deploy/#using-helm for the helm instructions.

The ingress controller you installed is from NGINX Inc., not the one from the community (this repository)

+5
aledbf on Dec 13, 2020

So much to that.

I’m at a point where I can say, that it is not my mistake.

That is so embarrassing. I didn’t know that there are 2 separate projects around.

It works perfectly fine with the community nginx controller. Is there anything I can offer you to compensate the amount of time you spend debugging with me @aledbf ? Ping me on LinkedIn if you’d like a Pizza in exchange 😃

+1
avodaqstephan on Dec 13, 2020
Read more comments on GitHub
← ingress-nginx: Unable to write event when scope set to other namespace then install namespace
ingress-nginx: unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission denied →