[GitHub] [apisix-ingress-controller] acuteaura opened a new issue, #1985: bug(ingress/tls): ingress translates TLS keys with several entries to same ApisixTls name; same ID in APISIX

Tue, 26 Sep 2023 05:49:28 -0700 


acuteaura opened a new issue, #1985:
URL: https://github.com/apache/apisix-ingress-controller/issues/1985

   ### Current Behavior
   
   When using more than one entry in the `.spec.tls` section of an ingress, the 
controller will generate multiple ApisixTls intermediate objects via translate:
   
   
https://github.com/apache/apisix-ingress-controller/blob/bca0d1da5e0d721ff7c94555821db55dd2659504/pkg/providers/ingress/translation/translator.go#L143-L144
   
   However, these objects do not get a unique name, since they're just using 
the ingress name and a `-tls` suffix:
   
   
https://github.com/apache/apisix-ingress-controller/blob/bca0d1da5e0d721ff7c94555821db55dd2659504/pkg/providers/ingress/translation/translator.go#L90-L93
   
   This leads to these objects both being persisted to APISIX's admin API with 
the same ID:
   
   
https://github.com/apache/apisix-ingress-controller/blob/bca0d1da5e0d721ff7c94555821db55dd2659504/pkg/providers/apisix/translation/apisix_ssl.go#L38-L39
   
   Thus, you only get one entry served in APISIX; the other one will result in 
`http_ssl_client_hello_phase` errors in APISIX.
   
   ```
   2023/09/26 12:46:34 [error] 49#49: *6842565 [lua] init.lua:215: 
http_ssl_client_hello_phase(): failed to match any SSL certificate by SNI: 
assets--staging--fun.[snip], context: ssl_client_hello_by_lua*, client: 
172.70.243.103, server: 0.0.0.0:9443
   ```
   
   ### Expected Behavior
   
   The ingress controller generates a unique ApisixTls intermediate object, 
possibly containing the index.
   
   ### Error Logs
   
   _No response_
   
   ### Steps to Reproduce
   
   Create any ingress with multiple `.spec.tls` entries; observe that only one 
works.
   
   ### Environment
   
   - APISIX Ingress controller version (run `apisix-ingress-controller version 
--long`) `apache/apisix-ingress-controller:1.7.0`
   - Kubernetes cluster version (run `kubectl version`) `1.26.6`
   - OS version if running APISIX Ingress controller in a bare-metal 
environment (run `uname -a`) `N/A`
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to