Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not All Annotation work in Ingress #10719

Closed
fovea-group opened this issue Dec 3, 2023 · 6 comments
Closed

Not All Annotation work in Ingress #10719

fovea-group opened this issue Dec 3, 2023 · 6 comments
Labels
needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/needs-information Indicates an issue needs more information in order to work on it.

Comments

@fovea-group
Copy link

Ok, so i write simply yaml:

apiVersion: v1
kind: Namespace
metadata:
  name: annotation-not-work
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-server
  namespace: annotation-not-work
spec:
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: httpd
        image: httpd:2.4.53-alpine
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: web-server-service
  namespace: annotation-not-work
spec:
  selector:
    app: web
  ports:
    - protocol: TCP
      port: 5000
      targetPort: 80
---
apiVersion: v1
kind: Secret
metadata:
  name: fe-certificate-secret
  namespace: annotation-not-work
type: kubernetes.io/tls
data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREakNDQWZZQ0NRRGtuaFFUT0k3UndqQU5CZ2txaGtpRzl3MEJBUVVGQURCSk1Rc3dDUVlEVlFRR0V3SkoKVkRFT01Bd0dBMVVFQ0JNRlNYUmhiSGt4RkRBU0JnTlZCQW9UQzJObGNuUnBabWxqWVhSbE1SUXdFZ1lEVlFRRApFd3RqWlhKMGFXWnBZMkYwWlRBZUZ3MHlNekV5TURJeE1UUXlORGxhRncweU5EQXhNREV4TVRReU5EbGFNRWt4CkN6QUpCZ05WQkFZVEFrbFVNUTR3REFZRFZRUUlFd1ZKZEdGc2VURVVNQklHQTFVRUNoTUxZMlZ5ZEdsbWFXTmgKZEdVeEZEQVNCZ05WQkFNVEMyTmxjblJwWm1sallYUmxNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QQpNSUlCQ2dLQ0FRRUF2S0EyRXlPa3pLL29xeDVubjI1ZmhaQWtmOXordFNMNmpNYjJ5cUxHaW8vbUxseUxFdXdJCnplSURsc1FhL3ltMDR1dDVGT0tWcHRlYUduOUhJV2pGamgzR2JWTDZtZXVlKzZZRzN6M2dzSkhkbGc0NVIxMDkKZnJ6TFJxMUkzYkJlVVV6ZWFDaURKTkt0eGpnb282TnljTUw3QTZxL3d1R0dvOVNBZzkwRXMwTlFRNUdrRlJTcwpQTWhIYjBKZnlIUER3UmQxbWxMRlB0bGl4eEFCUjBhS29aTU14R3hhRUJKM2lQK09LcWllSVR2TFRaZ0M2aEM0CkErU1k2QWNXclpCQTZWV01GQUhnZHJqUXNzTG81N3RuNGMvSFh0eUxSYjNaK1pzaEw4UW9aYlBUMlVmRHRYNGwKd2F5a21BbUtwRnJEYi9wQUV0a042OXNzNkl5b3dRWDJId0lEQVFBQk1BMEdDU3FHU0liM0RRRUJCUVVBQTRJQgpBUUFpcFFzR2NYN1JRWHZ3RVBNcnVKWXJQU1FzSXUyWVE2QVVTRTVrWDhGNzFTaXAySWdVRlFRblNFKzJqRW1VCnhKYXJzV1ZLOG9mVk5HbE52SjBHblcxZ0xWU0ZVSGROQWl5clhUaDNVa2ZsT0FwYUV6TThEWW9kTUNaWE5lNjkKTUNmYVMxajFsK2syMEJHY1dRNyt5WThjanpjYWJqc3RKWUZEd2pKUzAvRldwTU9OdUIyMUdXUEIwcDJIT0tGdQp0OU8rRndPRWJFcUp2VEZCaXRueGdtOXJRb0dQL0RWVDNlbHdLMHhVM2VNa1Z0c0pkQ3cwaWhtWEZVbHBwUWVzCk9WcXNmZ0dpN2kyZ1hiQkx3MllHV1c2SUlpOU9HaXBZbkFxTTlMNGdTZFlFdWJRZWVkUUN3dEZRY3Z5L0twRGMKK3VqanZZV2YwWXpQRlYzNG0vaU5TeTRKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
  tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBdktBMkV5T2t6Sy9vcXg1bm4yNWZoWkFrZjl6K3RTTDZqTWIyeXFMR2lvL21MbHlMCkV1d0l6ZUlEbHNRYS95bTA0dXQ1Rk9LVnB0ZWFHbjlISVdqRmpoM0diVkw2bWV1ZSs2WUczejNnc0pIZGxnNDUKUjEwOWZyekxScTFJM2JCZVVVemVhQ2lESk5LdHhqZ29vNk55Y01MN0E2cS93dUdHbzlTQWc5MEVzME5RUTVHawpGUlNzUE1oSGIwSmZ5SFBEd1JkMW1sTEZQdGxpeHhBQlIwYUtvWk1NeEd4YUVCSjNpUCtPS3FpZUlUdkxUWmdDCjZoQzRBK1NZNkFjV3JaQkE2VldNRkFIZ2RyalFzc0xvNTd0bjRjL0hYdHlMUmIzWitac2hMOFFvWmJQVDJVZkQKdFg0bHdheWttQW1LcEZyRGIvcEFFdGtONjlzczZJeW93UVgySHdJREFRQUJBb0lCQUExZEFGZTh4N2trb1VRMgpSRHNjVTdJZnN5WkgzdGV3WWJYRmhzaDJYY0NGVDFacmdnTFdMQTJCL0tVYXdacmdOb3Q1Q1R2OGpZT2pkS3g1CjVlMHRBZ24rZkFkVXdLSlUrZzkwQkxxZUpLUDl3WWdXKytIZGJqVGpaVGRkb1hMclF0TlpzY3dKU3JrNkg4dVMKUVBiTzVwV3NpcUlJMzhzTHRVRTRGZDdCc3NxTVZBUjUxRThRTEdKaUF2U2VNUzhycFZtOU9jeEc3SjczRWhRYgp6SEI4ZlRQeVQxNjlDZVhYWVoxL0ROY3dESTVqWFIwRjBTWnBNWWcxc3JmK1RwODNYVnE4c3ZoR0dlcm1YQlppClNFdG5WZGE5eVFqYUo3Y0RJbFFEYmwvakpVc1U0Y1dNa2p2K2hQZlMxaE9Pb1owcmxDWGZlclJ2OUdaQmRQd0oKbloyQkl3RUNnWUVBOGZWdlVpK2NnbDJCMnBEbE01Q2tuRjN4NmhoaTk5SVVEUThqZnp2K3U4UEZtblZZcXhkZwo4NVNnTUFTd05ZUm93dnVSRnR5T0g1TlpJNm5lTGd1N0VIRkY1L295SjFEUFQ1RTFJMHA5eHJpL3hMUDNxQ05PCmdVVmtpZGxaUGFPZlUxZVpRZ1JKclI5dWl5cHZML1JDcTlvNU9UM0duR25GYkU5c0RybHgzWjhDZ1lFQXg1SjAKKzFackJDN2U2amNFQndrc1FFbXlZOGdINXgvdFhKbkZWS2FhemxpZWM5bWM4RjdLazljNVArdVdLMGJDb1JWRgpLWFpxblRiYjZBMzRCZ3ZjaTlNeS8vWE5uaE50RDdxWDB4VzhKN0NjQTlodE5ZNEQzYjJucDhBeVNCZVdhWXZBCnRyUGRkNjF5TllhMHozcDlsTlN2aERmSkh0aTJkbmVTTTlyRUY0RUNnWUFoblhpZTBYQ01DQk92V3V3TTh1NTcKcnUyYUdWTStuTmdlVEZraEp5T24wSFlXbEhFQ0xCaFRIdlgyVmVCcFB3RVMvY0pWaThUUEREaVpKTk55VUR6bgo5dVRBYXRrbTd5b3VJcjFnTHN3MG5Kdy81c1RrZmlzOCtIZ1VVcmI4UWt3elZ2czYyYittcHJSRDcxeE5MRUZMCkFPRnNXM0hKYjBSM1hMMWxla3dnZndLQmdBTUxrUTFrdkMxTUtjcVpIRTZmTFRXdDZqTHJrbk5NWVdyUVRkcUUKMEVmbHdrVXlSTnJHRjRFNS8zMmlNcUJtYkFIWk9Uend1Wis4Zm82RDZBenZrV1h3eXc1c3liNW52WHBIOXBrWgo4ODBIUE5veUt6aHQrbEVmMjdjTGo3alo0MG1wQUQvSmJzK3NyZGx6UEw4TnQyelY4ZmVxZ2o4ZVAycC9XSlBCCitzd0JBb0dCQUxpSmp1WW4zWlAwckV3RVgraXVhb3ZJeG8wSkxBaVBSL0ErWE85a1RmYlJzdUIzYVJuclpEUnkKTmw0TzZuUDkvYStVVmZOMTg5MEVlREFBVjBzWnZYL1RIK1RkM2Q2bERuRGlpMHZxWkhJMXJDOVlpenVQL3pmSgpaNHJzVmdRc0lzMnlNTDZ5cnphTHRCbFVTc2ZzQmZGeS82bUM2ZE9VZXF4ZE1ZdnU2QWpnCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-server-ingress
  namespace: annotation-not-work
spec:
  ingressClassName: nginx
  tls:
    - hosts: 
      - certificate
      secretName: fe-certificate-secret
  rules:
  - host: certificate
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-server-service
            port:
              number: 5000

This YAML create deployment, service, SECRET WITH CN = certificate and ingress for host "certificate". Ok, now add in your host file "127.0.0.1 certificate" and with postman make GET to "https://certificate:443".

This call work and CERTIFICATE IS RIGHT:
image

Now change ingress YAML with this (change hostname), and add in your host file "127.0.0.1 certificate-cn-different" and with postman make GET to "https://certificate-cn-different:443":

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-server-ingress
  namespace: annotation-not-work
spec:
  ingressClassName: nginx
  tls:
    - hosts: 
      - certificate-cn-different
      secretName: fe-certificate-secret
  rules:
  - host: certificate-cn-different
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-server-service
            port:
              number: 5000

This call work but CERTIFICATE IS DEFAULT (ok this is expected behaviour. Ingress make check on CN but is not correct for new hostname so return default certificate):
image

NOW MY PROBLEM
My Scenario is that i want disabled check on certificate in nginx ingress. I want make this by nginx annotation.
So...change YAML with this (i try some annotation but nothing work):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-server-ingress
  namespace: annotation-not-work
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"
    nginx.ingress.kubernetes.io/proxy-ssl-verify-depth: "1"
    nginx.ingress.kubernetes.io/proxy-ssl-server-name: "certificate"
spec:
  ingressClassName: nginx
  tls:
    - hosts: 
      - certificate-cn-different
      secretName: fe-certificate-secret
  rules:
  - host: certificate-cn-different
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-server-service
            port:
              number: 5000

My expectation was that my last request worked and return self-signed certificate. But not work and return always default kubernetes certificate.
SEEMS THAT ANNOTATION NOT CHANGE NGINX.CONF FILE TO DISABLE CN CHECK

WHY???
@fovea-group fovea-group added the kind/bug Categorizes issue or PR as related to a bug. label Dec 3, 2023
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Dec 3, 2023
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@fovea-group fovea-group changed the title Not All Annotation not work in Ingress Not All Annotation work in Ingress Dec 3, 2023
@fovea-group fovea-group mentioned this issue Dec 3, 2023
Open
@longwuyuan
Copy link
Contributor

Duplicate of #10682

@fovea-group when new issue button is clicked, the template of a new issue asks many questions. You have not answered any of those questions in this issue and not answered any questions in the other issue #10682 . Please close one issue as they are duplicates and please answer the questions asked in the new issue template

/remove-kind bug
/triage needs-information

@k8s-ci-robot k8s-ci-robot added triage/needs-information Indicates an issue needs more information in order to work on it. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. and removed kind/bug Categorizes issue or PR as related to a bug. labels Dec 3, 2023
@fovea-group
Copy link
Author

fovea-group commented Dec 4, 2023
edited
Loading

Ok...can you explain me in this issue "#10682" what questions not have a answer? I thinked that response all question. So, i will open new right issue

@longwuyuan
Copy link
Contributor

  • We don't test on docker-desktop and its not likely that anyone will install docker-desktop to try reproduce this issue
  • I think first you should close one of two issues so that the problem is tracked only in one issue
  • I think you are reporting problems with the annotation proxy-ssl-verify-depth: "1" but a reader will need some kind of step-by-step instruction process, that can be used on a minikube or kind cluster
  • Do you have this in a cloud or other cluster ?
  • Depth of 1 has this explaining https://stackoverflow.com/questions/71051081/what-does-ssl-verify-depth-mean-in-nginx-conf
the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLCACertificatePath)

But there is no information on SNI for the second host name you used and so on

@longwuyuan
Copy link
Contributor

The cert in the secret on Kubernetes does not know have this hostname certificate-cn-different in subject or alternate-subject. This is my opinion. I could be wrong.

In any case this is a duplicate of #10682 so closing

/close

@k8s-ci-robot
Copy link
Contributor

@longwuyuan: Closing this issue.

In response to this:

The cert in the secret on Kubernetes does not know have this hostname certificate-cn-different in subject or alternate-subject. This is my opinion. I could be wrong.

In any case this is a duplicate of #10682 so closing

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/needs-information Indicates an issue needs more information in order to work on it.
Projects
[SIG Network] Ingress NGINX
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@longwuyuan @k8s-ci-robot @fovea-group