Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backend sets SSL issue #425

Open
JonathanManass opened this issue May 12, 2023 · 2 comments
Open

Backend sets SSL issue #425

JonathanManass opened this issue May 12, 2023 · 2 comments

Comments

@JonathanManass
Copy link

BUG REPORT

Versions

Environment:

  • Kubernetes version (use kubectl version): client : v1.25.1 | server : v1.25.4
  • OS (e.g. from /etc/os-release): Oracle-Linux-8.6-2022.12.15-0-OKE-1.25.4-543

What happened?

Installing the ingress-nginx helm chart did not create SSL Backend sets

What you expected to happen?

Backend sets to have SSL enabled with plaintext health checks

How to reproduce it (as minimally and precisely as possible)?

Install with the following annotations :

      service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
      service.beta.kubernetes.io/oci-load-balancer-tls-secret: tls-cloud
      service.beta.kubernetes.io/oci-load-balancer-tls-backendset-secret: tls-cloud

Anything else we need to know?

It seems like the "oci-load-balancer-tls-backendset-secret" does not have any effect anymore.
On top of that, health checks do not function as is in http which I believe is why that was removed.

However, there now is a checkbox "Force plaintext health checks" that gets http health checks working with SSL enabled.

Would this be enough to get the "backendset-secret" annotation back working with the health check changed to have this checkbox checked if it is ?

I found another issue similar to this and was mainly wondering whether the addition of the checkbox was enough to add the support of that annotation and this checkbox again so we can have SSL enabled backend sets out of the box
@kiranmenon
Copy link

Any updates on this?
We are also facing this issue. We set these annotations in the "istio-ingress-gateway' load balancer service to use SSL.
service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443" service.beta.kubernetes.io/oci-load-balancer-tls-secret: knative-ingress-ssl
And then the calls to LB started returning empty responses, with error logs in the LB :
logContent": { "data": { "errorLog": { "errorDetails": "Backend <OKE-node-ip> closed connection abruptly", "type": "backEnd" },

After enabling the "Use SSL" checkbox in the backend sets, the health checks started failing. There we can see only HTTP and TCP as the options.
Currently set the health check to a TCP port and calls are working. Just wondering if its the right way to do?

@passarela
Copy link

Unfortunately, the service.beta.kubernetes.io/oci-load-balancer-tls-backendset-secret annotation cannot use TLS secrets created in the standard way:
kubectl create secret tls tls-secret --key tls.key --cert tls.crt

Only in the following way:
kubectl create secret generic ca-ser-secret --from-file=tls.crt=tls.crt --from-file=tls.key=tls.key --from-file=ca.crt=ca.crt

Can you apply the secret in the way mentioned above?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kiranmenon @passarela @JonathanManass