Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add note for TLS settings on default rule #49233

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+18 −0
Open

Add note for TLS settings on default rule #49233

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions content/en/docs/concepts/services-networking/ingress.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -519,6 +519,24 @@ section.

{{% code_sample file="service/networking/tls-example-ingress.yaml" %}}

{{< note >}}
As an alternative to make TLS work on the default rule or when faced with specific
Subject Alternative Name requirements (e.g mandatory IPs instead of FQDN), user can update the
Ingress Controller to set as default certificate a custom Secret that satifies those requirements.

If using Nginx Ingress:

kubectl -n ingress-nginx edit deployment ingress-controller

Edit the args section as follows:

args:
- /nginx-ingress-controller
- '--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller'
- '--default-ssl-certificate=default/testsecret-tls'
- ...
{{< /note >}}
Comment on lines +522 to +538
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This advice is specific to one ingress controller. We could add it as part of a blog article or a tutorial, but I don't think it's right for a page about the Ingress API as a concept.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would agree with that indeed


{{< note >}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This note is useful, though - it's telling people to go and read the docs for the ingress controller(s) that they are actually using.

Copy link
Author

@makhtardiouf makhtardiouf Dec 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intent is to rectify or complete the note before it. See capture below.
I recently faced a mandatory mTLS requirement where the client calls an endpoint and checks if the certificate matches a given IP in the S.A.Ns.

  • If the TLS cert is attached to an ingress resource, k8s will attempt to match it through the host rule (FQDN, as IPs won't work).
  • If it doesn't match, k8s will fallback to the default "Fake Certificate", which the client needs to ignore in order to connect.
  • The only solution is to create a TLS cert, with the required -ext SubjectAlternativeName:c=IP:x.x.x.x, and apply it as default cert for the ingress controller.
image

There is a gap between TLS features supported by various Ingress
controllers. Please refer to documentation on
Expand Down