Ingress-nginx: Verbose messages about no host matching TLS section
With the default verbosity level and the Ingress below, the following warning messages are issued multiple times:
controller.go:1192] ingress default/shop for host storefront.127.0.0.1.xip.io contains a TLS section but none of the host match
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
name: shop
spec:
rules:
- host: storefront.127.0.0.1.xip.io
http:
paths:
- path: /
backend:
serviceName: storefront
servicePort: http
- host: backoffice.127.0.0.1.xip.io
http:
paths:
- path: /
backend:
serviceName: backoffice
servicePort: http
tls:
- hosts:
- backoffice.127.0.0.1.xip.io
Seems like found will always be false when the TLS spec doesn't contain the host from the current loop iteration.
antoineco
All 12 comments
@antoineco this works as expected
From the IngressTLS docs:
Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified.
aledbf
on 31 Aug 2017
@aledbf huh? This is spewing a lot of logs for us, too. We have some ingresses that have a mix of TLS and non-TLS hosts. Do they need to be split in separate ingress manifests?
abh
on 1 Sep 2017
Getting a lot of these messages as well
xeor
on 3 Sep 2017
@aledbf I understand the default behaviour, but why throwing a warning for the hosts that are not in tls.hosts? Isn't it legit to mix TLS and non-TLS hosts?
antoineco
on 3 Sep 2017
We're getting millions of these messages a day in the logs now ...
abh
on 18 Oct 2017
It was added in e65d3c75 (replacing a comment explaining what's happening as normal course of operation with a warning message; it seems like it at most should be a debug message -- or it should be documented that mixing TLS and non-TLS ingresses is an invalid configuration).
abh
on 26 Oct 2017
@abh please use quay.io/aledbf/nginx-ingress-controller:0.268. In this image I've added a check to avoid duplication in the output of the log.
aledbf
on 27 Oct 2017
Using 0.268 TLS connections are just dropped --
$ openssl s_client -connect perl.org:443 -servername perl.org
CONNECTED(00000003)
140736101196680:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
...
I tried a few versions back (267 and 266) and have the same problem. beta.15 is working with the same setup. (I'm "testing" in production so it's hard to give you proper information/better debugging, sorry!)
Edit: TLS works with 0.259, but broke in 0.260.
Edit2: Ok, looking at the dates for those builds I found change 4fe6dd1090a. I added a custom configuration to use the old values and either that seems to make it work for me again.
abh
on 27 Oct 2017
Yay, the logging for this is much more manageable now. Thanks!
abh
on 27 Oct 2017
Upgrading to beta 17 the verbose logs seems to be back? (Or maybe they're logged each time some ingress changes, and for whatever reason some ingress changes every few seconds on my system?)
abh
on 13 Nov 2017
@abh the fix is not included in beta 17. That's why you see the error. The fix was committed in #1662 and will be present in the next release
aledbf
on 13 Nov 2017
Ah, great. Thank you!
abh
on 13 Nov 2017
Related issues
yuyang0
路
3Comments
whereisaaron
路
3Comments
boazj
路
3Comments
vdavidoff
路
3Comments
jwfang
路
3Comments
Most helpful comment
@aledbf I understand the default behaviour, but why throwing a warning for the hosts that are not in
tls.hosts? Isn't it legit to mix TLS and non-TLS hosts?