multiple TLS certs are not correctly handled by GCE (no SNI support)

[bowei]

From @ensonic on July 12, 2017 10:9

I have setup and ingress for 3 microservices under 3 subdomains, each having their own cert.
When I startup the ingree I see this in the l7-lb-controller log:
W0712 10:01:30.733403 1 tls.go:58] Ignoring 2 certs and taking the first for ingress default/tls-termination

IMHO that cannot work and indeed I get a single cert applied to all 3 subdomains and as expected e.g browsers complain about the mismatch. I would expect the Host header to be used to select the appropriate cert.

This is how the config looks like for 2 hosts, example.com is just used for illustration

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: tls-termination
  annotations:
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.allow-http: "false"
spec:
  tls:
  - hosts:
    - api.example.com
    secretName: api-tls
  - hosts:
    - www.example.com
    secretName: www-tls
  rules:
  - host: api.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: api
          servicePort: 80
  - host: www.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: www
          servicePort: 80

Using a single cert covering all subdomains is maybe doable, but would not be nice, since the services should not need to know about each other.

Copied from original issue: kubernetes/ingress-nginx#952

[bowei]

From @ensonic on July 12, 2017 12:44

Erm, the docs (https://github.com/kubernetes/ingress/blob/master/controllers/gce/README.md#frontend-https) say "This controller does not support SNI, so it will ignore all but the first cert in the TLS configuration section." - are you planning to fix this?

[bowei]

From @nicksardo on July 12, 2017 15:43

GCP's HTTP(S) LB does not support SNI.
https://issuetracker.google.com/issues/35904767

[bowei]

From @ensonic on July 13, 2017 7:21

Would it make sense to mention this here: https://github.com/kubernetes/ingress/blob/master/controllers/gce/BETA_LIMITATIONS.md ?

[bowei]

From @munnerz on September 11, 2017 10:36

It looks like GCE now does in fact support SNI https://issuetracker.google.com/issues/35904767#comment47
🎉

[bowei]

From @munnerz on September 11, 2017 10:40

It looks like the code in question that'll need changing mostly resides here: https://github.com/kubernetes/ingress/blob/master/controllers/gce/loadbalancers/loadbalancers.go (search for TLS)

[bowei]

From @mhr3 on September 14, 2017 11:58

Looks like adding the extra certificate to the load balancer on GCE works fine, but k8s can't set it up properly atm.

[mikepulaski]

@mhr3 Do the changes persist when you add the extra certificate in GCE?

Having official support for this would be great. I have multiple certificates I'd like to use as well.

[tobsch]

+1

[nicksardo]

This is supported in the controller version 1.1+
/close