Hi,
I added the sni annotation but kong still issues the localhost cert. Any thought?
This is Kong 3.3.1
# curl -vk https://onboardops.com --resolve onboardops.com:844:172.16.128.1
* Rebuilt URL to: https://onboardops.com/
* Trying 172.16.128.1...
* TCP_NODELAY set
* Connected to onboardops.com (172.16.128.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
* start date: Jul 31 03:10:01 2024 GMT
* expire date: Jul 26 03:10:01 2044 GMT
* issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55e51b32bac0)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/2
> Host: onboardops.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
< HTTP/2 404
< date: Tue, 13 Aug 2024 21:07:21 GMT
< content-type: application/json; charset=utf-8
< content-length: 52
< x-kong-response-latency: 0
< server: kong/3.3.1
<
* TLSv1.3 (IN), TLS app data, [no content] (0):
{
"message":"no Route matched with those values"
* Connection #0 to host onboardops.com left intact
}
I follow this post and add the SNI to my ingress but it does not solve the issue.
here is my ingress with SNI annotation.
kubectl get ingress proxy-from-k8s-to-mag-rest-oom -n via -oyaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
konghq.com/https-redirect-status-code: "301"
konghq.com/plugins: ip-restriction-ped-deny
konghq.com/preserve-host: "true"
konghq.com/protocols: https
konghq.com/snis: onboardops.com
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"networking.k8s.io/v1","kind":"Ingress","metadata":{"annotations":{"konghq.com/https-redirect-status-code":"301","konghq.com/plugins":"ip-restriction-ped-deny","konghq.com/preserve-host":"true","konghq.com/protocols":"https","konghq.com/snis":"onboardops.com"},"name":"proxy-from-k8s-to-mag-rest-oom","namespace":"via"},"spec":{"ingressClassName":"kong","rules":[{"http":{"paths":[{"backend":{"service":{"name":"egress-mag-rest","port":{"number":8000}}},"path":"/","pathType":"Prefix"}]}}],"tls":[{"hosts":["onboardops.com"],"secretName":"onboardops-com-secret"}]}}
creationTimestamp: "2024-07-31T03:09:26Z"
generation: 1
name: proxy-from-k8s-to-mag-rest-oom
namespace: via
resourceVersion: "1508"
uid: 5b36728a-2d04-447b-b7d5-5c1ec0ef46c8
spec:
ingressClassName: kong
rules:
- http:
paths:
- backend:
service:
name: egress-mag-rest
port:
number: 8000
path: /
pathType: Prefix
tls:
- hosts:
- onboardops.com
secretName: onboardops-com-secret
status:
loadBalancer:
ingress:
- ip: 172.16.109.133