-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues with Ingress Configuration and Client Certificate Transmission #10967
Comments
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@sajith-madhusanka if this is true then a working feature broke but I don't recall an PR related to the feature
/remove-kind bug |
Hi @longwuyuan I've updated the issue description as suggested by removing the screenshots. Please find the curl command to reproduce the issue.
client .key.txt Please let me know if you need further information. Thanks & Regards |
|
Hi @longwuyuan With the shared curl command, I'm accessing a deployment (
Hope you can follow the steps stated under the "How to reproduce this issue:" section in the issue description to deploy a similar setup on your local machine and reproduce the issue. If it is required to have a screen-sharing session to further discuss the issue, we can schedule it for this Tuesday (6th of February 2024). Thanks & Regards |
|
Hi @longwuyuan I've updated the issue description with the required information. You can find that under the 'Anything else we need to know:' section. Thanks & Regards |
|
Hi @longwuyuan, Please find the requested information.
Thanks & Regards |
|
Hi @longwuyuan
Actually, I'm not sending the request to localhost port 443; instead, that request is going through the ingress controller.
After deploying the above Ingress object, it will add the required configuration to the nginx.conf file in the Ingress controller pod. This configuration allows me to access the application deployed in the Kubernetes cluster via 'gateway.am.wso2.com' on port 443.
Please refer to the log snippets below, extracted from the Ingress controller pod. These logs indicate that the changes deployed via the aforementioned Ingress object were successfully reflected to the ingress controller pod.
Furthermore, please refer to the log line below, extracted from the Ingress controller pod, which indicates that the request made via the following curl command is routed to the configured Kubernetes service ('sample-service') through the Ingress controller.
Curl command: It seems that the issue here is that the annotations configured in the Ingress object to send the client certificate to the upstream server are not being reflected in the Ingress controller pod.
Hope you now have a better understanding of the issue. Please let us know if you need further clarification. Thanks & Regards |
|
Hi @longwuyuan We have further investigated the issue and identified that the following annotation is mandatory to enable client-side authentication.
Hence, we have modified the Ingress object as follows, including the aforementioned annotation.
We were able to observe that the client certificate is sent to the upstream server in a HTTP header (ssl-client-cert) after applying the above modification.
Thanks & Regards |
thanks |
@longwuyuan: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
Despite configuring the
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream
annotation to true [1], there is an observed issue where the Ingress fails to transmit the client certificate in an HTTP header. Kindly refer to the trace log extracted from the application. As we can see, the client certificate is not sent to the upstream server.What you expected to happen:
According to the documentation [1], the Ingress is expected to send the client certificate in the HTTP header (ssl-client-cert) to the upstream server. This behavior should occur when the Ingress is configured with the 'nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream' annotation as illustrated below:
[1] https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#client-certificate-authentication
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
NGINX Ingress controller
Release: v1.9.4
Build: 846d251
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6
Kubernetes version (use
kubectl version
):Client Version: v1.28.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.3
Environment:
Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release): Ubuntu 22.04.3 LTS
Kernel (e.g.
uname -a
): Linux madhusanka 6.5.0-15-generic Split implementations from generic code #15~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 12 18:54:30 UTC 2 x86_64 x86_64 x86_64 GNU/LinuxInstall tools: minikube
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
Basic cluster related info:
kubectl version
kubectl get nodes -o wide
helm ls -A | grep -i ingress
helm -n <ingresscontrollernamespace> get values <helmreleasename>
minikube addons enable ingress
Current State of the controller:
kubectl describe ingressclasses
Events:
kubectl -n <ingresscontrollernamespace> get all -A -o wide
kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
Current state of ingress object, if applicable:
kubectl -n <appnamespace> get all,ing -o wide
kubectl -n <appnamespace> describe ing <ingressname>
If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag
Others:
kubectl describe ...
of any custom configmap(s) created and in useHow to reproduce this issue:
minikube addons enable ingress
kubectl create namespace test
kubectl apply -f sample-deployment.yaml
sample-deployment.yaml
kubectl apply -f sample-service.yaml
sample-service.yaml
kubectl apply -f sample-Ing.yaml
sample-Ing.yaml
client .key.txt
public.crt.txt
Anything else we need to know:
minikube start
docker
Please note that I've added the following host mapping to the /etc/hosts file on my local machine (host machine).
192.168.49.2 gateway.am.wso2.com
Thanks & Regards
Sajith M
The text was updated successfully, but these errors were encountered: