stackoom
  简体   繁体   中英

Which Kubernetes ingress "wins" (tls and multiple ingresses for same host)?

 原文  2020-03-25 15:11:15       ssl/ kubernetes/ kubernetes-ingress

Question

Assume I have have two ingresses ingress-a and ingress-b for the same host but with different paths:

ingress-a :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: app-a
  namespace: namespace-a
spec:
  rules:
  - host: myhost.com
    http:
      paths:
      - backend:
          serviceName: app-a
          servicePort: 8080
        path: /path-a
  tls:
  - hosts:
    - myhost.com
    secretName: tls-a

ingress-b :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: app-b
  namespace: namespace-b
spec:
  rules:
  - host: myhost.com
    http:
      paths:
      - backend:
          serviceName: app-b
          servicePort: 8080
        path: /path-b
  tls:
  - hosts:
    - myhost.com
    secretName: tls-b

Now I need to update the certificate. Assume I create the new secret in tls-new but only update ingress-a to point to that. Which of the two ingresses would win ?

I guess I should simply overwrite the existing secret but I am trying to understand how the rules for ingresses would work in the above scenario where two different tls secrets are being referenced for the same host.

1 answers

solution1
 1  2020-03-25 15:54:46

NGINX and NGINX Plus Ingress controller for Kubernetes has support for mergeable Ingress Types.

A Master is declared using nginx.org/mergeable-ingress-type: master . A Master will process all configurations at the host level, which includes the TLS configuration, and any annotations which will be applied for the complete host. There can only be one ingress resource on a unique host that contains the master value. Paths cannot be part of the ingress resource.

A Minion is declared using nginx.org/mergeable-ingress-type: minion . A Minion will be used to append different locations to an ingress resource with the Master value. TLS configurations are not allowed. Multiple minions can be applied per master as long as they do not have conflicting paths. If a conflicting path is present then the path defined on the oldest minion will be used.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-master
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "master"
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-coffee-minion
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "minion"
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

The minion can not have TLS, only the master can have TLS and you change TLS in master.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Kubernetes ingress tls Kubernetes NGINX Ingress TLS issue Kubernetes Ingress not working with Traefik and TLS Supporting wildcard domains for TLS: Kubernetes Ingress on GKE Kubernetes nginx-ingress TLS issue Securing connections from ingress to services in Kubernetes with TLS Kubernetes Ingress TLS not being created with headless service Kubernetes NGINX Ingress Controller not picking up TLS Certificates kubernetes Ingress tls dosent work although the configuration seems to be correct k8s ingress multiple with tls hosts
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM