-
Notifications
You must be signed in to change notification settings - Fork 590
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SNI issue with 0.7.1 #524
Comments
Hello, @hbagdi is there any progress or ETA on this? We are using a huge amount of dynamic (create/delete) ephemeral namespaces with the same certificate in our development process and parser issues are mostly break KONG configuration updates so our environments became inaccessible. |
@merlineus Can you elaborate on your use-case so that I understand why this happens? The fix for this will be either in 0.8 that is in the works or 0.8.1. |
Hello, sure. |
Let's try to do this asynchronously. Can you elaborate your use-case in this Github Issue itself? |
Below is an example of configuration. We have 2 namespace (in each 2 ingresses):
We also have the wildcard certificate for * .example.com (the certificate is kept in kubernetes secrets with name "wildcard-certificate-for-example-com" in each namespace). We configure ingresses in the namespaces as follows (an example is given only for test1):
After in the namespace "test2" we followed the steps described above (with a different dns name, but with same certificate) and in logs getting errors:
|
@merlineus
|
|
@hbagdi hi |
Controller 0.8.0 is the priority right now. The fix is a little involved so it will take me time to write it up. Expect a fix sometime in April. |
@hbagdi referenced issue #544 is a little bit different. Current issue is related to using the same certificates and error appears immediately after adding already present certificate to another namespace. But #544 is related to using different certificates - there is no error on adding certificate, but error appears accidentally after some time and possibly related to attempts to re-apply existing configuration. |
@hbagdi struggling with this issue for weeks. we eliminate all the possible duplication, change multiple SNIs to single and the problem still persists. Could you help me understand the possible cause? |
we removed all the tls.hosts entries from all ingresses in our cluster except a single one having only |
@RolandG we have cert-bot running in our cluster, which updates several times in a day. @hbagdi I see release 0.8.0 has came out but didn't target these bugs...any hope? |
hi @hbagdi
|
Hi, any news on the above? Would this be target in 0.8.1? |
This seemingly simple bug is a little challenging to fix because of the way the underlying libraries are designed. Meanwhile, there are two workarounds:
Stay tuned for a forthcoming patch to fix this issue. |
Hello everyone, Can someone in this thread give one patch a try and share some feedback if it fixes the problem or not? To test the patch in your dev cluster, please do a fresh install of Kong with the above docker image. If you do an in-place replace of the docker image, it will not fix the problem. Once you have the controller setup, please create duplicate secrets with the same TLS cert and associate different hostnames to the same cert using Ingress resources. |
@hbagdi Hi thanks for the patch. As I mentioned earlier, the problem be reproduced by keeping make update to ingress. |
hi @hbagdi Image of "proxy": kong log:
|
Are you sure you are running into this bug in DB-less mode? This code-path is not invoked in DB-less mode and it not possible to run into this. @elkh510 Can you please share reproducible steps for your case? |
hi @hbagdi
We have 2 namespace:
We also have the wildcard certificate for * .example.com (the certificate is kept in kubernetes secrets with name "wildcard-certificate-for-example-com" in each namespace). We configure ingresses in the namespaces as follows: Setup HTTPS redirect (same for two namespaces)
Setup ingress is directed to test-wildcard-1.example.com:
Setup ingress is directed to test-wildcard-2.example.com:
After in kong log:
|
@hbagdi we've multiple cluster running with db-less mode. when there is no configuration sync, everything goes fine. when shit happens, a simple patch can fix it by configuration resync, like below:
|
@Ehekatl, thanks for being patient. The problem I'm having is reproducing this bug in DB-less mode.
From this comment of yours, it seems that you are seeing a different bug here. A question for you, are you seeing an error log line similar to the following in your logs?
|
@hbagdi we don't have any error, even with debug log |
Good to hear. |
Previously, SNIs were treated as a property on Certificate resource in Kong. This breaks the synchronization loop when an SNI to Certificate association changes. The version of decK has been bumped up to v1.1.0, which treats SNIs as a separate entity. Fix #524
@hbagdi after running 2.0.3 with your fix |
Please wait for 0.8.1 (coming out later this week) and test it using that. |
@hbagdi but I'm running the lastet master...will there be new fix add this week? |
There is no new fix. What you are seeing is a different issue and this thread is not about that issue. |
In reference to #510
The problem still persists with 0.7.1. It takes longer to manifest now, but in the end there's still an issue and TLS still breaks from time to time.
When TLS does break kong may take quite some time to recover.
The text was updated successfully, but these errors were encountered: