contour: TLSCertificateDelegation does not work with networking.k8s.io/v1 Ingress

What steps did you take and what happened: Technically this is not a contour issue, but in practice it breaks TLSCertificateDelegation with networking.k8s.io/v1 Ingress resource. As of today we can use a networking.k8s.io/v1beta1 Ingress like this:

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: kuard
  annotations:
    kubernetes.io/ingress.class: contour
    ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  rules:
  - host: kuard.somedomain.foo
    http:
      paths:
      - backend:
          serviceName: kuard
          servicePort: http
  tls:
  - secretName: kube-contour/tls-certs
    hosts:
    - kuard.somedomain.foo

Please note; The scretName with the Namespace kube-contour in the TLS section.

Applying this definition does work, but issues a warning about the upcoming deprecation of networking.k8s.io/v1beta1 Ingress:

Warning: networking.k8s.io/v1beta1 Ingress is deprecated in v1.19+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress

When trying to migrate such an Ingress definition to networking.k8s.io/v1 one would rewrite it to:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/force-ssl-redirect: "true"
  name: kuard
spec:
  ingressClassName: contour
  rules:
  - host: kuard.somedomain.foo
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: kuard
            port:
              number: 80
  tls:
  - secretName: kube-contour/tls-certs
    hosts:
    - kuard.somedomain.foo

Applying this definition results in:

The Ingress "kuard" is invalid: spec.tls[0].secretName: Invalid value: "kube-contour/tls-certs": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

What did you expect to happen: I think there should be a way for users to use TLSCertificateDelegation also with networking.k8s.io/v1 Ingress. Maybe there is already a way how we could solve this, but I was not able to find something. Currently this is not a serious issue, since k8s 1.22 is not yet around the corner, but this will be a serious issue for us.

Anything else you would like to add:

Environment:

Contour version: v1.14.0
Kubernetes version: (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:12:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:03:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes installer & version:

kubeadm version: &version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:09:38Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider or hardware configuration: on-prem
OS (e.g. from /etc/os-release):

PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 19 (10 by maintainers)

Commits related to this issue

Ingress: Add detailed documentation Details which features we support, caveats, gotchas Fixes: https://github.com/projectcontour/contour/issues/3546 Fixes: https://github.com/projectcontour/contour/... — committed to sunjayBhatia/contour by sunjayBhatia 3 years ago
Ingress: Add detailed documentation (#3551) * Ingress: Add detailed documentation Details which features we support, caveats, gotchas Fixes: https://github.com/projectcontour/contour/issues/354... — committed to projectcontour/contour by sunjayBhatia 3 years ago

Most upvoted comments

Edit: I should really check the PR before commenting.

Given the changes to Ingress v1 seem to specifically stop TLSCertificateDelegation from being used, I’m not sure how best to bring it along. I seem to recall some Gateway API discussions about bringing TLS certificates across namespaces, for the wildcard use case, so we may be able to take an idea from there as well.

It does seem like an annotation may be the only way to go, but I agree it will need careful design if we do that. In general, we’re trying to keep away from annotations on Ingress, but maybe this is an exception.

youngnick on Apr 8, 2021

Thank you for your answers. Are there any plans to support TLSCertificateDelegation also with v1 Ingress (maybe through an annotation, or something similar)? This is a bit of a ticking time bomb since we don’t want to use the custom httpproxy resource mainly because of portability reasons and since we use wildcard certs we rely on the availability of TLSCertificateDelegation.

ghouscht on Apr 7, 2021

I agree that we should document this limitation, thanks for pointing that out @205g0, and sorry to make this harder for you.

I’ll add the doc-impact and help-wanted labels for this one so that our tech writers working group can pick it up.

youngnick on Jun 22, 2021

Going to echo Nick Young here that this is best experienced on HTTPProxy. We are aware v1beta is going away in k8s v1.22. What is the portability reason you mentioned that lead you to not using HTTPPoxy? @ghouscht

@barbaluc If this is vSphere with Tanzu, I’m guessing you’re deploying contour on a TanzuKubernetesCluster aka Guest Cluster. Why is the secret kept in a different Supervisor Namespace from where the Ingress object lives just curious. Can you describe the setup in greater detail? Btw, JFYI if you require any additional support for Contour please reach out to your customer account team, we try to avoid any kind of customer triaging on github. As you can tell, this is totally open source and best effort sort of contract.

@sunjayBhatia thanks for amending the docs to reflect that it only works with v1beta resources at the moment.

Mainly because of the reasons @pablo-ruth already mentioned and also the fact that we already have hundreds of vanilla k8s Ingress objects spread across multiple teams which is a bit challenging. I’m eagerly waiting for the new Gateway API as I think this will solve a lot of the problems and hopefully the community around ingress controllers will adapt and converge a bit on this new api.

ghouscht on May 6, 2021

Any news about this problem ? We are in a situation where we don’t know how to start using ingress with contour. For the moment we have the intention to use ingress v1beta1 because the certificate secret is deployed in one namespace and used by ingresses from other namespaces. But we want visibility because v1beta1 will be remove in kubernetes 1.22, it’s nearly tomorrow. Thanks in advance for your response

For information, we are using contour in vsphere with tanzu and we have contour support in our wmare licence.

barbaluc on Apr 22, 2021

I’ve got a document in the works for detailing Ingress support, right now planning on describing the main features/fields and how they differ between Ingress versions (if there is a difference) and will include this detail

sunjayBhatia on Apr 6, 2021