Traffic management using NGINX ingress controller does not support TLS termination at the ingress controller. #1134
Comments
|
The recommended approach for a TLS termination when we use NLB + ingress in an AWS EKS deployment is to use TLS termination at the ingress side since NLB doesn't support it straightly. So this issue will be a critical one if you use Argo Rollouts with NLB+Ingress duo in AWS EKS. |
|
TLS configurations of canary ingress are inherited from the corresponding main ingress, please check whether the canary ingress is correctly selected by the ingress controller (spec.ingressClassName for example) |
|
Same issue: kubectl version: kubectl argo rollouts version: ingress-nginx-controller: |
This doesn't seem to be the case. I'm using cert-manager with CloudFlare Origin Issuer and the TLS values are not inherited by the canary ingress. Same issue: # Stable Ingress
apiVersion: v1
items:
- apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/issuer: origin-issuer
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
cert-manager.io/issuer-kind: OriginIssuer
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
creationTimestamp: "2022-07-22T20:10:32Z"
generation: 1
labels:
app.kubernetes.io/instance: the-canary
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: the-canary
app.kubernetes.io/version: 1.16.0
argocd.argoproj.io/instance: the-canary
helm.sh/chart: the-canary
name: the-canary
namespace: test
resourceVersion: "69952539"
uid: x
spec:
ingressClassName: nginx
rules:
- host: myhostname.net
http:
paths:
- backend:
service:
name: the-canary
port:
number: 1001
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- myhostname.org
secretName: the-canary-origin-cert
status:
loadBalancer:
ingress:
- hostname: x.elb.amazonaws.com
# Canary Ingress
- apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-by-header: X-Canary
nginx.ingress.kubernetes.io/canary-by-header-value: "true"
nginx.ingress.kubernetes.io/canary-weight: "0"
creationTimestamp: "2022-10-24T02:17:53Z"
generation: 1
name: the-canary
namespace: test
ownerReferences:
- apiVersion: argoproj.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: Rollout
name: the-canary
uid: x
resourceVersion: x
uid: x
spec:
ingressClassName: nginx
rules:
- host: myhostname.net
http:
paths:
- backend:
service:
name: the-canary
port:
number: 1001
path: /
pathType: ImplementationSpecific
status:
loadBalancer:
ingress:
- hostname: x.elb.amazonaws.com
kind: List
metadata:
resourceVersion: "" |
|
This issue is stale because it has been open 60 days with no activity. |
Still an issue. |
|
Interesting comment here, can it be explained? https://github.com/argoproj/argo-rollouts/blob/master/rollout/trafficrouting/nginx/nginx.go#L69-L70 |
|
@leoluz: since you're the author of the code / comment from @rarecrumb's question...
May I ask what is the reasoning behind this? Not copying the |
…gration. Fixes argoproj#1134 (argoproj#2679) * Retain TLS configuration for canary ingresses in the nginx integration Signed-off-by: Pavels Fjodorovs <[email protected]> * Retain TLS configuration for canary ingresses in the nginx integration Signed-off-by: Pavels Fjodorovs <[email protected]> * fixed tests after multiple nginx ingress merge Signed-off-by: Pavels Fjodorovs <[email protected]> --------- Signed-off-by: Pavels Fjodorovs <[email protected]> Signed-off-by: Pavels Fjodorovs <[email protected]>
…gration. Fixes argoproj#1134 (argoproj#2679) * Retain TLS configuration for canary ingresses in the nginx integration Signed-off-by: Pavels Fjodorovs <[email protected]> * Retain TLS configuration for canary ingresses in the nginx integration Signed-off-by: Pavels Fjodorovs <[email protected]> * fixed tests after multiple nginx ingress merge Signed-off-by: Pavels Fjodorovs <[email protected]> --------- Signed-off-by: Pavels Fjodorovs <[email protected]> Signed-off-by: Pavels Fjodorovs <[email protected]> Signed-off-by: Liming Liu <[email protected]>
Summary
Traffic management using NGINX ingress controller does not support TLS termination at the ingress controller.
Original ingress yaml:
`apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
name: colours
spec:
rules:
http:
paths:
serviceName: service-stable
servicePort: 80
path: /
tls:
secretName: cert-secret
status:
loadBalancer: {}`
Autogenerated yaml by Argo Rollouts:
`apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/canary: "true"
nginx.ingress.kubernetes.io/canary-weight: "0"
name: colours-colours-canary
ownerReferences:
blockOwnerDeletion: true
controller: true
kind: Rollout
name: blah
spec:
rules:
http:
paths:
serviceName: service-canary
servicePort: 80
path: /
status:
loadBalancer: {}`
You can see that the TLS section is missing.
I'd argue that the full ingress spec should be copied from the original ingress to the argo-generated ingress. That would cause the TLS section, and anything in there to be respected during the canary rollout.
Use Cases
TLS termination at the ingress controller during canary rollouts.
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritize the issues with the most 👍.
The text was updated successfully, but these errors were encountered: