Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with nginx reload when an ingress has more than one host configured with tls enabled #1342

Closed
stibi opened this issue Sep 12, 2017 · 1 comment · Fixed by #1349
Closed

Problem with nginx reload when an ingress has more than one host configured with tls enabled #1342

stibi opened this issue Sep 12, 2017 · 1 comment · Fixed by #1349

Comments

@stibi
Copy link
Contributor

stibi commented Sep 12, 2017

Hi,
I think the reload doesn't work in the following case:

If you create an ingress with one host, enable tls for it and let kube-lego to issue a certificate, it works nice:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  labels:
    foo: bar
  name: my-ingress
  namespace: hosting
spec:
  rules:
  - host: my.domain.cz
    http:
      paths:
      - backend:
          serviceName: my-service
          servicePort: 80
        path: /
  tls:
  - hosts:
    - my.domain.cz
    secretName: my-secret

I can see from the log that the controller notices the ingress change, then it don't find the secret, because kube-lego is working on it, but once it's finished, the secret is added to the local store and nginx is reloaded.

I0912 18:59:57.713489       5 event.go:218] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"hosting", Name:"my-ingress", UID:"9216396a-97ec-11e7-b000-062bd6dfd378", APIVersion:"extensions", ResourceVersion:"26522748", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress hosting/my-ingress
I0912 18:59:58.111156       5 controller.go:477] backend reload required                                                                                                                                           
I0912 18:59:58.203727       5 controller.go:486] ingress backend successfully reloaded...
W0912 19:00:18.108475       5 backend_ssl.go:41] error obtaining PEM from secret hosting/my-secret: secret named hosting/my-secret does not exist                                       
W0912 19:00:18.110262       5 controller.go:1215] ssl certificate "hosting/my-secret" does not exist in local store                                                                                   
I0912 19:00:18.111127       5 controller.go:477] backend reload required                                  
I0912 19:00:18.202267       5 controller.go:486] ingress backend successfully reloaded...                 
W0912 19:00:21.443465       5 controller.go:1215] ssl certificate "hosting/my-secret" does not exist in local store                                                                                   
I0912 19:00:24.776136       5 backend_ssl.go:58] adding secret hosting/my-secret to the local store                                                                                                   
I0912 19:00:24.778968       5 controller.go:477] backend reload required                                  
I0912 19:00:24.870096       5 controller.go:486] ingress backend successfully reloaded...

The problem is when you add another host:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "true"
  labels:
    foo: bar
  name: my-ingress
  namespace: hosting
spec:
  rules:
  - host: my.domain.cz
    http:
      paths:
      - backend:
          serviceName: my-servce
          servicePort: 80
        path: /
  - host: another.domain.cz
    http:
      paths:
      - backend:
          serviceName: my-servce
          servicePort: 80
        path: /
  tls:
  - hosts:
    - my.domain.cz
    - another.domain.cz
    secretName: my-secret

After the certificate is issued, nginx don't reload:

W0912 19:05:23.815734       5 controller.go:1222] ssl certificate hosting/my-secret does not contain a Common Name or Subject Alternative Name for host another.domain.cz
I0912 19:05:24.778135       5 controller.go:477] backend reload required
I0912 19:05:24.865789       5 controller.go:486] ingress backend successfully reloaded...
10.20.3.72 - [10.20.3.72] - - [12/Sep/2017:19:05:26 +0000] "GET /.well-known/acme-challenge/_selftest HTTP/1.1" 200 16 "-" "Go-http-client/1.1" 139 0.001 [kube-system-kube-lego-nginx-8080] 10.1.17.2:8080 16 0.001 200
I0912 19:05:28.902282       5 backend_ssl.go:53] updating secret hosting/my-secret in the local store

You have to trigger the reload by another ingress modification for example, then the secret is picked up and the host is redirected to https…

Maybe #991 and #1032 broke this a bit?

I'm trying to fix it, but I'm having hard time I have to say…I'll continue anyway, but any hint is very appreciated.
@stibi stibi changed the title Problem with reload of a secret when an ingress has more than one host configured Problem with nginx reload when an ingress has more than one host configured with tls enabled Sep 12, 2017
@stibi stibi mentioned this issue Sep 13, 2017
Closed
@aledbf aledbf mentioned this issue Sep 13, 2017
Merged
@aledbf
Copy link
Member

aledbf commented Sep 13, 2017

@stibi please use quay.io/aledbf/nginx-ingress-controller:0.218

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Force reload if a secret is updated aledbf/ingress-nginx
2 participants
@stibi @aledbf