Ingress Controller Fake Cert Generation #194
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
Add an example for static-ip and deployment
Clarify that an ingress controller needs to be deployed
Add a skeleton admin guide
Always docker --pull when building to fetch latest base images
Clarify firewall-rule doc
|
LGTM Waiting @bprashanth comment in #191 to merge |
Fix nil HTTP field
FIX: ingress was not creating the endpoint when target port is string
- point to most recent version of k8s-wide docs, not some frozen version - actually mention the ingress-specific development guide
Improve links from CONTRIBUTING.
Fix an e2e link.
Fix node lister when --watch-namespace is used
Add annotation to customize nginx configuration
Refactoring of TCP and UDP services
update some descriptions about of 'Test HTTP Service'
Fix lint error
…tion modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml
Check for error getting cert
Change arg ordering in log message
Typo: unittesting -> unit testing
Expose Prometheus metrics in glbc controller
Adds correct support for TLS Muthual autentication
Fix client source IP address
Enable custom election id for status sync.
|
@rikatz ping. What is the status of this PR? |
|
@aledbf Will take a look at this later today. I do agree with @bprashanth that this should be optional, just couldn't figure out how to achieve this correctly. Maybe a new flag in ingress (specific to nginx ingress) that allows the user to generate or not this new Self Signed certificate. |
This cannot be optional (nginx). We need a default certificate. Without one all the https traffic will be send to the first server with a ssl certificate. |
|
@aledbf Sorry about that. It seems it fetched all the other commits incorrectly. Basically I've removed the configuration of default TLS on misconfigured vhosts, and generated the fake Cert only for the default server. So when a server does not have a correct certificate, it will not configure a SSL certificate. But the default server (vhost _) will always have it. I'll see if I can revert this bunch of commits / merges later, otherwise will close this PR and open another (as we still don't have any review here, but the discussion in the referenced issue #191 ) Sorry again, and thanks. |
|
@aledbf Created a new branch as I couldn't revert the mess I did on this one: https://github.com/rikatz/ingress/tree/ingress-fake-cert Will work in this tomorrow and check if everything is working by now. So the behaviour in this case is to generate a self signed certificate and use it only in the default vhost, and not anymore in misconfigured vhosts. So we can try to improve this later on another PR/discussion. |
|
I've found a ugly bug in this implementation, that hangs out when no Default Secret exists and doesn't fetches the other secrets. I'm working in a correction for this also, and will open a PR containing the bug fix and the fake cert generation :) |
This PR solves the problem reported in #191
It generates a new Fake Cert, instead of using the snake oil.
Once the Fake Cert is generated, it's not created anymore until someone erases it.