Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is no way to configure ca certificate for a backend server #1072

Closed
hkmo99 opened this issue Jan 24, 2024 · 3 comments
Closed

There is no way to configure ca certificate for a backend server #1072

hkmo99 opened this issue Jan 24, 2024 · 3 comments
Labels
kind/bug lifecycle/stale status/works-as-designed

Comments

@hkmo99
Copy link

hkmo99 commented Jan 24, 2024
edited

Description of the problem

The only way I was able to get a backend server do TLS with a remote server is to manually add the ssl part: (i.e., "ssl verify required ca-file .."):

server srv001 192.168.76.2:31590 weight 128 check inter 2s ssl verify required ca-file /etc/ssl/certs/rootCA.crt

The actual generated config line of the backend server is the following:

server srv001 192.168.76.2:31590 weight 128 check inter 2s

Expected behavior

Create a Kubernetes Secret for the ca certificate:

kubectl create secret generic ca-secret --from-file=tls.crt=rootCA.crt -n default

Add the below annotation to the Kubernetes service:

haproxy-ingress.github.io/secure-verify-ca-secret: "default/ca-secret"

Kubernetes Service Example:

more my_service.yaml
apiVersion: v1
kind: Service
metadata:
  labels:
  name: httpbin-example-proxy
  namespace: default
  annotations:
    haproxy-ingress.github.io/secure-verify-ca-secret: "default/ca-secret"
spec:
  ports:
  - name: https
    port: 443
    protocol: TCP

The EndpointSlice associated to this Kubernetes Service is the following (the backend service is remote):

apiVersion: discovery.k8s.io/v1
kind: EndpointSlice
metadata:
  labels:
    kubernetes.io/service-name: httpbin-example-proxy
  name: httpbin-example-endpointslice-1
  namespace: default
addressType: IPv4
endpoints:
- addresses:
  - 192.168.76.2
  conditions:
    ready: true
ports:
- name: https
  port: 31590
  protocol: TCP

The expected generated config line of the backend server for the service "httpbin-example-proxy" should be:

server srv001 192.168.76.2:31590 weight 128 check inter 2s ssl verify required ca-file /etc/ssl/certs/ca-certificates.crt

The full example is provided in Issue-1071.

Steps to reproduce the problem

  1. Create the Kubernetes Service and the ca secret above (with the 'secure-verify-ca-secret' annotation).
  2. Create the EndpointSlice above.
  3. Create the Gateway and HTTPRoute as per Issue-1071.
  4. Apply the configurations and check the generated haproxy config.

Environment information

HAProxy Ingress version: v0.14.5
@hkmo99
Copy link
Author

hkmo99 commented Jan 27, 2024

I discovered that there are some configuration keys that can be used to enable ca-certificate for a backend server:

However, using those keys has led to Issue-73.

@jcmoraisjr
Copy link
Owner

Hi, indeed, secure-verify-ca-secret is part of a group of configuration keys. You still need to enable ssl/tls via either backend-protocol or secure-backend as you've already pointed out.

@github-actions GitHub Actions
Copy link

This issue got stale and will be closed in 7 days.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jun 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug lifecycle/stale status/works-as-designed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcmoraisjr @hkmo99