Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL-Passthrough broken in beta.5 #694

Closed
snoby opened this issue May 8, 2017 · 5 comments
Closed

SSL-Passthrough broken in beta.5 #694

snoby opened this issue May 8, 2017 · 5 comments

Comments

@snoby
Copy link

snoby commented May 8, 2017

In the beta.5 release ssl-passthrough is broken, the same ingress in beta.3 works as expected.

With an ingress configured as:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: drupal-eu-staging
  namespace: staging
  annotations:
    kubernetes.io/ingress.class: "external"
    ingress.kubernetes.io/ssl-passthrough: "true"
    ingress.kubernetes.io/secure-backends: "true"
spec:
  rules:
  - host: drupal-eu-staging.k.tropo.com
    http:
      paths:
      - path: /
        backend:
          serviceName: drupal-eu-staging
          servicePort: 443
  tls:
  - hosts:
    - drupal-eu-staging.k.tropo.com

the beta.5 template generates rules that that suggest that the ingress controller should terminate the connection:


    server {
        server_name drupal-eu-staging.k.tropo.com;
        listen 80 proxy_protocol;
        listen [::]:80 proxy_protocol;

        listen 442 ssl http2;
        listen [::]:442  ssl http2;
        # PEM sha: 030817ac81e2a99260dc173f5745b45ee7c4e483
        ssl_certificate                         /ingress-controller/ssl/default-fake-certificate.pem;
        ssl_certificate_key                     /ingress-controller/ssl/default-fake-certificate.pem;

        more_set_headers                        "Strict-Transport-Security: max-age=15724800; includeSubDomains; ";
...

where as with beta.3 ( the correct configuration) generates

server {
        server_name new-drupal.k.tropo.com;
        listen [::]:80 proxy_protocol;
        location / {
            set $proxy_upstream_name "drupal-eu-staging.k.tropo.com-443";
            port_in_redirect off;
            client_max_body_size                    "1m";
@ghost
Copy link

ghost commented May 9, 2017
edited by ghost
Loading

Should be fixed in master with #696. Hoping we can get a beta.6 @aledbf?

@aledbf
Copy link
Member

aledbf commented May 9, 2017

@braderhart before that I need to merge #690

@aledbf
Copy link
Member

aledbf commented May 11, 2017

@snoby @braderhart please test if the image quay.io/aledbf/nginx-ingress-controller:0.113 solves the issue

@ghost
Copy link

ghost commented May 11, 2017 

kubectl patch `kubectl get po -l app=nginx-ingress-controller --all-namespaces -o name` -n kube-system --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"quay.io/aledbf/nginx-ingress-controller:0.113"}]'

Thanks, testing shortly...

@aledbf
Copy link
Member

aledbf commented May 13, 2017

Closing. Please reopen if you still have issues with the quay image

@aledbf aledbf closed this as completed May 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aledbf @snoby