Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"TCP SERVICES frontends" uses only 1 certificate #1148

Open
GuilhermeAbraham opened this issue Jun 20, 2024 · 0 comments
Open

"TCP SERVICES frontends" uses only 1 certificate #1148

GuilhermeAbraham opened this issue Jun 20, 2024 · 0 comments
Labels
kind/bug

Comments

@GuilhermeAbraham
Copy link

We want to have 2 tcp frontends for the same backend.

Steps to reproduce the problem

  1. Configure a ingress for TCP services with 2 hosts and different certificates for each host
  2. Execute openssl s_client -showcerts -servername HOST -connect HOST:443 </dev/nul for each host
  3. Check only 1 certificate gets returned

Environment information
HAProxy Ingress version: v0.14.7

This is our ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "haproxy-mtls"
    haproxy-ingress.github.io/tcp-service-port: "443"
    haproxy-ingress.github.io/secure-backends: "false"
    haproxy-ingress.github.io/secure-verify-ca-secret: "namespace1/mtls-ca"
    haproxy-ingress.github.io/auth-tls-secret: "namespace1/mtls-ca"
    haproxy-ingress.github.io/auth-tls-verify-client: "on"
    haproxy-ingress.github.io/ssl-options-backend: ""
    haproxy-ingress.github.io/tcp-service-proxy-protocol: "v2"
    haproxy-ingress.github.io/backend-check-interval: "2s"
    haproxy-ingress.github.io/proxy-protocol: "v2"
    haproxy-ingress.github.io/health-check-port: "1885"
  name: mtls
  namespace: namespace1
spec:
  rules:
    - host: mtls.domain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: do-stuff
                port:
                  name: mqtt-do-stuff
    - host: mtls.old.domain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: do-stuff
                port:
                  name: mqtt-do-stuff
  tls:
    - hosts:
        - mtls.domain.com
      secretName: root
    - hosts:
        - mtls.old.domain.com
      secretName: mqtt

This is how the configuration looks like:

# #
#     TCP SERVICES frontends
#
frontend _front_tcp_443
    bind :443 ssl crt /var/lib/haproxy/crt/root.pem ca-file /var/lib/haproxy/cacerts/mtls-ca.pem verify required
    mode tcp
    option tcplog
    tcp-request content set-var(req.tcpback) ssl_fc_sni,lower,map_str(/etc/haproxy/maps/_tcp_sni_443__exact.map)
    use_backend %[var(req.tcpback)] if { var(req.tcpback) -m found }

In summary, notice that even if you have 2 hosts and 2 secrets on the template you always only consider 1 crt instead of a crt-list.

Also, relate to #1109 where you removed SNI from the mappings, found it interesting SNI maps still being used on TCP, it don't impact what we doing but maybe you want to consider if this needs to be changed?

Thanks in advance, let me know if I can do anything to help and/or provide clarification.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcmoraisjr @GuilhermeAbraham