Comments (5)
Wow @hbagdi that was fast! 😄
I deployed #76 locally and it works great, thank you.
from kubernetes-ingress-controller.
Hello @Dag24,
As documented, the ingress controller doesn't yet support Kong 0.14.0 for the reasons that you've posted above.
While I'm here, I'd also like to draw your attention to #94, which is another snag I encountered in TLS setup. Hopefully a trivial fix for that one, though. (Root CA certs are not installed in the ingress-controller or Kong Centos images.)
I'll look into this and post an update on #94 soon. Thanks!
from kubernetes-ingress-controller.
A workaround is to manually add all the SNIs listed in spec.tls[0].hosts
e.g.
curl -X POST \
--url "kong-ingress-controller.kong.svc.cluster.local:8001/snis/" \
--data "ssl_certificate_id=<certificate id>" \
--data "name=bar.example.com"
Now requests to both https://foo.example.com and https://bar.example.com will succeed.
from kubernetes-ingress-controller.
Hello @Dag24
I just opened up #76 to fix this issue.
Thank you for reporting this!
from kubernetes-ingress-controller.
Hey @hbagdi I think we need to reopen this as it doesn't work with Kong 0.14.0. It does work with 0.13.1 and 0.13.0.
Using kong-0.13.1-centos
: the logs of the ingress-controller container look like this (successful):
controller.go:127] syncing Ingress configuration...
kong.go:1008] creating Kong SSL Certificate for host foo.example.com located in Secret default/tls-secret
kong.go:1041] creating Kong SNI for host foo.example.com and certificate id 712398b9-a171-11e8-8806-0a58ac1f10d3
kong.go:1041] creating Kong SNI for host bar.example.com and certificate id 712398b9-a171-11e8-8806-0a58ac1f10d3
Using kong-0.14-centos
:
controller.go:127] syncing Ingress configuration...
kong.go:1008] creating Kong SSL Certificate for host foo.example.com located in Secret default/tls-secret
kong.go:1028] updating certificate for host foo.example.com to certificate id 41e5ab7e-ef54-4be5-a859-35d1b51160ba
controller.go:130] unexpected failure updating Kong configuration: patching a Kong consumer: the server rejected our request for an unknown reason (patch snis.meta.k8s.io)
queue.go:113] requeuing dummy/dummy, err patching a Kong consumer: the server rejected our request for an unknown reason (patch snis.meta.k8s.io)
controller.go:127] syncing Ingress configuration...
kong.go:1008] creating Kong SSL Certificate for host foo.example.com located in Secret default/tls-secret
kong.go:1013] Unexpected error creating Kong Certificate: [400] {"fields":{"snis":"foo.example.com already associated with existing certificate '41e5ab7e-ef54-4be5-a859-35d1b51160ba'"},"name":"schema violation","code":2,"message":"schema violation (snis: foo.example.com already associated with existing certificate '41e5ab7e-ef54-4be5-a859-35d1b51160ba')"}
Of course, the important part here is the "schema violation" error. 0.14.0 contained a number of changes to the /snis
and /certificates
endpoints, which have probably triggered the above.
While I'm here, I'd also like to draw your attention to #94, which is another snag I encountered in TLS setup. Hopefully a trivial fix for that one, though. (Root CA certs are not installed in the ingress-controller or Kong Centos images.)
from kubernetes-ingress-controller.
Related Issues (20)
- konnect update failures after realm added to key-auth plugin HOT 2
- Istio e2e test cases fails when istio bumped to 1.22.0 HOT 1
- Improve changelog processing to prevent conflicts
- Feature request for BackendLBPolicy
- Test Request: Kong Gateway EE version 3.7.0.0-rc.5 HOT 2
- Support custom entities in last known good configuration HOT 1
- Upgrade guide about upgrade to GWAPI v1.1 and KIC v3.2
- HTTPRoute status is reconciled regardless of `Gateway`'s `AllowedRoutes` and/or `--gateway-to-reconcile` flag
- Adjust translator golden test to cover KongClient with fallback configuration propagation
- Implement an isolated integration test covering fallback configuration propagation
- Generate cache snapshot before building current config only if cache changed
- Emit k8s events for fallback configuration
- Expose fallback configuration metrics HOT 1
- Admission webhook observability
- KIC + Konnect with sanitizer enabled continues to update consumer resources HOT 2
- Fallback configuration exploratory testing HOT 4
- Do not send config to Kong Gateway when no changes occurred
- Implement backfilling broken objects from last valid cache state
- Hot reload of mtls cert is broken. KIC can't fetch secret.
- Run Gateway API conformance with admission webhook HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-ingress-controller.