Describe the solution you'd like
When referencing an invalid secret, the listener should load a default TLS certificate.
Environment:
v0.11.0kubectl version): v1.14.2kind v0.4.0-alphalocal/etc/os-release): osx@pickledrick thanks for raising this issue.
Could you please tell me more about the invalid TLS certificate? In 0.12 we fixed a problem where a secret with the right keys, but empty values was picked up and send to envoy. https://github.com/heptio/contour/issues/1051. Upgrading to 0.12.1 may help. The customer should upgrade to 0.12.1 regardless to pick up the fix for https://github.com/heptio/contour/issues/1091
There is an open issue for Contour to validate the contents of any TLS certificate before sending it to Envoy https://github.com/heptio/contour/issues/1065
wrt. a default TLS certificate. Contour doesn't implement anything like that although we do have a very old feature request to add something like that but I cannot find it at the moment.
Sure @davecheney,
the request was more for the feature request of failing over to a default TLS certificate. I mentioned validation as this would be precursory and hadn't looked for relevant tickets (thanks for linking btw).
I am happy to relay the decision for a default TLS certificate and was interested in your opinion before providing a response.
I will link the validation issue and reach out to mention the fixes in 0.12.1.
@pickledrick can you please rewrite this request so it's clearer. The part about envoy returning a weird error is a bug and should be fixed. Either keep this issue for the envoy/contour bug (not sure who's at fault yet) or start a new one.
wrt. to adding support for a default TLS certificate I know this is a feature nginx has. It's a weird feature that falls out of the way the nginx configuration language works, but I know some users rely on it. I'm happy to hold an issue to add this feature but I won't be able to give any answers on when or if we would add it without talking to product management.
/cc @VMmore
I have created #1169 as a separate bug for the error message. I will leave and reword this feature request to track addition of a default TLS certificate.
@pickledrick sorry, i'm going to make you rewrite this request again. A feature request needs to explain the problem that the feature being added would solve. The part about loading an invalid certificate is a bug and will be fixed, so it can't be the justification for this feature.
One way to phrase this request might be to say something like "nginx allows a default TLS certificate to be used as a fallback when non is mentioned by the ingress itself." Perhaps a better way would be to write it like a user story, something like "As a cluster administrator I want to be able to deploy an ingress record without having to provision a tls certificate for each ingress". If that's closer to the mark then I'd point you to TLS certificate delegation which we added in 0.10.
Clarifying with the customer as to specific needs, If they differ from setting a certificate delegation or rather a blanket catch-all.
@pickledrick timedout, please reopen when you hear back from the customer.