Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Module w/o Secret Does not Configure Ambassador to Listen on 443 #1104

Closed
iNoahNothing opened this issue Jan 11, 2019 · 1 comment
Closed

TLS Module w/o Secret Does not Configure Ambassador to Listen on 443 #1104

iNoahNothing opened this issue Jan 11, 2019 · 1 comment
Assignees
@concaf
Milestone
0.50.0 GA

Comments

@iNoahNothing
Copy link
Contributor

Regression starting in 0.50.0-rc2.

Configuring a TLS module without a certificate should configure Ambassador to listen on port 443. The primary use of this is if you are terminating TLS at an L4 LoadBalancer, you need redirect_cleartext_from: 80 for http -> https redirection. This can only be configured in a TLS module.

Adding this TLS Module:

      ---
      apiVersion: ambassador/v0
      kind: Module
      name: tls
      config:
        server:
          enabled: true
          redirect_cleartext_from: 80

Should cause Ambassador to listen on 443 and redirect traffic from 80. Starting in 0.50.0-rc2, Kubewatch errors out on that TLS module 2019-01-11 16:59:56 kubewatch [36 TRestarter] 0.50.0 ERROR: service ambassador, namespace default.1: <RichStatus BAD error=TLSContext server found no certificate in secret ambassador-certs in namespace default hostname=ambassador-5958f9547f-k8g45 resolvedname=192.168.0.8 version=0.50.0>.
@iNoahNothing iNoahNothing added this to the 0.50.0 GA milestone Jan 11, 2019
@concaf concaf self-assigned this Jan 14, 2019
concaf added a commit that referenced this issue Jan 16, 2019
@concaf
Make secret config non mandatory in TLS contexts
9980994 
This commit makes adding valid secret config in a TLS context
optional. So, when `redirect_cleartext_from` or other valid fields
are specified but the secret specified is invalid, the TLS context
will still go through. This also means that when default
`ambassador-certs` secret is implied by Ambassador, and if it does
not exist, the rest of TLS Context goes through.

Also added tests.

Fix #1104
@kflynn kflynn closed this as completed in c74bb97 Jan 18, 2019
@kflynn kflynn reopened this Jan 24, 2019
@kflynn
Copy link
Member

kflynn commented Jan 29, 2019

Fixed in RC6.

@kflynn kflynn closed this as completed Jan 29, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@concaf concaf

Labels
None yet
Projects
None yet
Milestone
0.50.0 GA
Development

No branches or pull requests
3 participants
@kflynn @concaf @iNoahNothing