generic controller shouldn't require snakeoil certs #191
Comments
bprashanth
added
backend/generic
help wanted
|
@bprashanth this is my fault :) The thing is that, while trying to solve the problem of Default SSL Certificates, I've hit this part of code that you need some kind of certificate. This was the simplier way to do this, generating those Fake Certificates. I don't know if maybe a hardcoded certificate would be better in this case, so I'm gonna wait for @aledbf to answer. |
|
What about https://golang.org/src/crypto/tls/generate_cert.go ? |
|
Yeah we can just generate a self signed cert the same way as generate_cert.go. |
|
Might be a bit off topic, but it would also be a huge plus if the code checked that the ssl directly exists and can be written to instead of crashing 😃 |
|
@bprashanth I use this in case you have a TLS definition (or a default certificate, as example) and the certificate is invalid or inexistence. Instead of generating a lot of error messages, we do this to create a fake SSL Certificate. |
|
@bprashanth I've a WIP here to make this work. Will commit into my repo and work at home. You can take a look here, I'm going to improve also the controller reloading handling, and make a new PR to solve this problem. Here is the repo: https://github.com/rikatz/ingress/blob/nginx-ssl-problem/core/pkg/net/ssl/ssl.go#L170 |
|
@bprashanth Opened the PR #194, take a look and report if this solves our problem :) |
|
Thanks! Will take a look today/tomorrow |
Isn't it better to throw events and fail fast, if the cert is malformed or non-existent? If you use a random fake cert users are probably going to be broken because the cert is signed by an unknown CA, but the admin of the cluster will continue to think everything is fine, right? |
|
@bprashanth I think this is a point of view. Generating self signed certificates (as it was being made with the snake-oil-certificate) could make user and admin life easier. Maybe we should only warn (or make a flag in the program) to generate or not this Self Signed Certificate. But as the following situation:
I don't think this is a desirable situation. Generating self signed certificates, in my opinion, is a much more elegant solution that giving user an error :) But we can still change / revert this. @aledbf your opinion in this is important! |
|
@rikatz @bprashanth we need (at least in nginx) a certificate as fallback to be used in the default server to listen in port 443. Without this the first ingress configured with a tls section will be used as default server for https (this is the reason of the flag |
|
@bprashanth @rikatz please check kubernetes-retired/contrib#1393 for context |
|
Maybe I misunderstood, I think using a default cert for just the default backend is good. I think using a default cert instead for a specific hostname is going to surprise users, i.e: tls:
- hosts:
- google.com
secretName: wwww
rules:
- host: google.com
paths
- path: /
backend:
serviceName: frontend
servicePort: 80
status:
ingressIP: 1.2.3.4If www doesn't exist, I want google.com to be unavailable, not encrypt using a self signed cert. |
|
@bprashanth Whatyou reported in your last comment is dealed by this piece of code: This if we could substitute by a glog.Warning message. I've changed this before (to use the default certificate) as this could be easier for users to enable the HTTPs vhost using the generic certificate. |
|
How about including the always including the default certificate in the ingress.Configuration and letting the backend decide if it should use when there's no available certificate? Then if you don't find the secret you leave the field empty and throw an event. |
|
@bprashanth I Didn't get the idea. What happens here is that if the backend doesn't find a valid certificate, it uses the default one (the configured in --default-ssl-certificate, or otherwise if none configured the fake one). The idea is just throw a Warning when using the default certificate? |
|
Yeah I want that to be the decision of the backend, not the decision of the generic controller. I haven't looked at the implementation yet, or how we'd pipe the default cert into the ingress.Configuration, but does that make sense? |
|
Hum, ok. So let's 'draw' the flow:
The thing I think is, even if we do this approach, when a vhost doesn't contain a valid certificate but NGINX implements at least one ssl listener, the first one will be used again (the default_server). Your approach makes sense so we can still reduce the file size of nginx.conf, but the user will get the error anyway, as there is at least one ssl listener, and the system will not be able to find the right certificate for users vhost. Am I right? |
|
I'm thinking about delegation to the specific backend, which may or may not be nginx. The decision to use or ignore the fake cert should be made somewhere here: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/pkg/cmd/controller/nginx.go#L17, not in the core. After doing that, I'm fine plugging the default where there's no valid cert because any user that doesn't want this behavior will just not specify the |
|
Guys, I'm working in the Authentication TLS here, and will return this issue ASAP. |
|
@bprashanth so, what's the right workflow?
Is this right? I couldn't figure out how to accomplish this in the nginx controller code, but only in core. Sorry about bothering you with this, but I really can't figure out what need to be done |
|
I'm fine with not crashlooping. I'm suggesting that you add a field called protocol to ingress.Server here: https://github.com/kubernetes/ingress/blob/master/core/pkg/ingress/types.go#L156 Set it here, if you find a ing.spec.tls: https://github.com/kubernetes/ingress/blob/master/core/pkg/ingress/controller/controller.go#L880 in cases 1 and 2 the generic controller leaves the cert field empty here: That will get passed to OnUpdate: https://github.com/kubernetes/ingress/blob/master/core/pkg/ingress/controller/controller.go#L390 And then to the nginx controller backend: At the last step the nginx controller backend says:
and the GCE controller can say
Something like that, make sense? We might also have to pipe the --default-cert arg to the backend for that to work. |
|
I'm also not sure if we want to call it protocol, or just TLS=true/false, since protocol=TCP might also want TLS and we won't have a way to express that. Maybe we don't even mention tls and call it |
|
Closing. Fixed in #382 |
Currently I can't build a simple controller on busybox because we hit this code path: https://github.com/kubernetes/ingress/blob/master/core/pkg/ingress/controller/controller.go#L837 which goes looking in
/etc/sslfor default certs. If we don't find certs we can simply generate them on the fly.@aledbf fyi
The text was updated successfully, but these errors were encountered: