SSL passthrough and termination don't work on the same ingress controller

[stevewolter]

Is this a request for help?: Yes. The regression was introduced without explanation in a very large commit, and I don't have the scope to simply send a PR. Please help to find out what the right port assignment should be.

What keywords did you search in NGINX Ingress controller issues before filing this one?: SSL passthrough

Is this a BUG REPORT or FEATURE REQUEST?: BUG.

NGINX Ingress controller version: 0.9.0

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4", GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean", BuildDate:"2017-11-20T05:28:34Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7+", GitVersion:"v1.7.11-gke.1", GitCommit:"3500f53730c1fea7b57901977df165c3eb317bce", GitTreeState:"clean", BuildDate:"2017-12-08T18:05:07Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: GKE

What happened:

The nginx-ingress-controller pod crashloops because nginx tries to bind to the SSL port that's already taken by the in-process proxy.

What you expected to happen:

SSL is terminated for one ingress and not terminated for the other.

How to reproduce it (as minimally and precisely as possible):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tls-termination
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
tls:

• hosts:
  • foo.bar.com
    secretName: tls
    rules:
• host: foo.bar.com
  http:
  paths:
  • backend:
    serviceName: foo
    servicePort: 80

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: tls-passthrough
annotations:
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
tls:

• hosts:
  • grpc.bar.com
    rules:
• host: grpc.bar.com
  http:
  paths:
  • backend:
    serviceName: registry
    servicePort: 443

---

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress-controller
labels:
k8s-app: nginx-ingress-controller
namespace: kube-system
spec:
replicas: 1
template:
metadata:
labels:
k8s-app: nginx-ingress-controller
spec:
terminationGracePeriodSeconds: 60
containers:
- image: gcr.io/google_containers/nginx-ingress-controller:0.9.0
name: nginx-ingress-controller
readinessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
livenessProbe:
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 1
ports:
- containerPort: 80
hostPort: 80
- containerPort: 443
hostPort: 443
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- /nginx-ingress-controller
- --v=3
- --default-backend-service=$$(POD_NAMESPACE)/default-http-backend
- --publish-service=$$(POD_NAMESPACE)/nginx-ingress-lb
- --enable-ssl-passthrough

Anything else we need to know:

This is a regression. It used to work in -beta11, and I'm pretty sure that it was introduced because the proxy code in setUpSSLProxy (

ingress-nginx/cmd/nginx/main.go

Line 171 in 3e7d1f9

func setupSSLProxy(sslPort, proxyPort int, n *controller.NGINXController) {

) grabs the same port that nginx wants.

I realize that the tls-passthrough tls section is probably superfluous, but it doesn't change the picture.

[aledbf]

Closing. This issue is fixed in master #1870