-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingress Fake Certificate generation #382
Conversation
…oesn't exists Generates a Self signed certificate for default vhost if the secret doesn't exists modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/net/ssl/ssl.go
/lgtm |
@rikatz thanks! |
@@ -944,9 +956,6 @@ func (ic *GenericController) createServers(data []interface{}, | |||
servers[host].SSLCertificate = cert.PemFileName | |||
servers[host].SSLPemChecksum = cert.PemSHA | |||
} | |||
} else { | |||
servers[host].SSLCertificate = defaultPemFileName | |||
servers[host].SSLPemChecksum = defaultPemSHA | |||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was removed due to a request from @bprashanth to not assign the default certificate on misconfigured ingresses.
Instead, I'm going to create a new ConfigMap to make this behaviour configurable (a heroku like), and it will be an admin choice to enable or not this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bprashanth PR #459 adds if tlsSecretName == ""
before looking for a secret. Could this be changed to "use the default secret" instead a warning? This would fix a misbehavior on haproxy ingress. Note that this change doesn't assign the default cert on a misconfigured ingress.
This PR solves the problem reported in #191
It generates a new Fake Cert, instead of using the snake oil.
Once the Fake Cert is generated, it's not created anymore until someone erases it.
Also it improves the secrets enqueing by removing some wrong code that wasn't downloading the other TLS Secrets.
A final change in this PR is inserting a 'os.Remove' in the Temporary Pem File generation, so when an error occurs the files does not fill the filesystem
This PR substitutes the #194.
cc @aledbf