Contour: Failover to a default TLS certificate if malformed secret reference is provided to Ingress TLS

Created on 13 Jun 2019  路  7Comments  路  Source: projectcontour/contour

Describe the solution you'd like

When referencing an invalid secret, the listener should load a default TLS certificate.

Environment:

  • Contour version: v0.11.0
  • Kubernetes version: (use kubectl version): v1.14.2
  • Kubernetes installer & version: kind v0.4.0-alpha
  • Cloud provider or hardware configuration: local
  • OS (e.g. from /etc/os-release): osx
blockeneeds-info

All 7 comments

@pickledrick thanks for raising this issue.

Could you please tell me more about the invalid TLS certificate? In 0.12 we fixed a problem where a secret with the right keys, but empty values was picked up and send to envoy. https://github.com/heptio/contour/issues/1051. Upgrading to 0.12.1 may help. The customer should upgrade to 0.12.1 regardless to pick up the fix for https://github.com/heptio/contour/issues/1091

There is an open issue for Contour to validate the contents of any TLS certificate before sending it to Envoy https://github.com/heptio/contour/issues/1065

wrt. a default TLS certificate. Contour doesn't implement anything like that although we do have a very old feature request to add something like that but I cannot find it at the moment.

Sure @davecheney,

the request was more for the feature request of failing over to a default TLS certificate. I mentioned validation as this would be precursory and hadn't looked for relevant tickets (thanks for linking btw).

I am happy to relay the decision for a default TLS certificate and was interested in your opinion before providing a response.

I will link the validation issue and reach out to mention the fixes in 0.12.1.

@pickledrick can you please rewrite this request so it's clearer. The part about envoy returning a weird error is a bug and should be fixed. Either keep this issue for the envoy/contour bug (not sure who's at fault yet) or start a new one.

wrt. to adding support for a default TLS certificate I know this is a feature nginx has. It's a weird feature that falls out of the way the nginx configuration language works, but I know some users rely on it. I'm happy to hold an issue to add this feature but I won't be able to give any answers on when or if we would add it without talking to product management.

/cc @VMmore

I have created #1169 as a separate bug for the error message. I will leave and reword this feature request to track addition of a default TLS certificate.

@pickledrick sorry, i'm going to make you rewrite this request again. A feature request needs to explain the problem that the feature being added would solve. The part about loading an invalid certificate is a bug and will be fixed, so it can't be the justification for this feature.

One way to phrase this request might be to say something like "nginx allows a default TLS certificate to be used as a fallback when non is mentioned by the ingress itself." Perhaps a better way would be to write it like a user story, something like "As a cluster administrator I want to be able to deploy an ingress record without having to provision a tls certificate for each ingress". If that's closer to the mark then I'd point you to TLS certificate delegation which we added in 0.10.

Clarifying with the customer as to specific needs, If they differ from setting a certificate delegation or rather a blanket catch-all.

@pickledrick timedout, please reopen when you hear back from the customer.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jpeach picture jpeach  路  5Comments

davecheney picture davecheney  路  6Comments

skriss picture skriss  路  3Comments

davecheney picture davecheney  路  4Comments

jpeach picture jpeach  路  7Comments