SNIs creation appears broken with 0.7.0 ingress controller

Summary

Kong appears to have issues creating SNIs. Our ingresses are sharing the same host, we do path based routing.

Kong Ingress controller version
0.7.0 with postgres DB

Kong or Kong Enterprise version
1.4.3

Kubernetes version

v1.14.9-eks-c0eccc

Environment

  • Cloud provider or hardware configuration : AWS
  • OS (e.g. from /etc/os-release): AWS linux
  • Kernel (e.g. uname -a ): n/a
  • Install tools : helm
  • Others :

What happened

When below happens kong starts falling back to default localhost certificate, which makes TLS request fail. After 5-10 minutes, sometimes it recovers, only to then go into the same problem again.
Timing appears random, though i suspect it does it when it updates the configuration.

W0118 04:23:50.121945       1 parser.go:339] Deprecated KongCredential in use, please use secret-based credentials. KongCredential resource will be removed in future.
E0118 04:23:50.255044       1 controller.go:119] unexpected failure updating Kong configuration: 
1 errors occurred:
        while processing event: {Create} failed: 400 Bad Request {"message":"schema violation (snis: a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7')","name":"schema violation","fields":{"snis":"a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7'"},"code":2}
W0118 04:23:50.255072       1 queue.go:112] requeuing dev/dev-ops-tools-backend, err 1 errors occurred:
        while processing event: {Create} failed: 400 Bad Request {"message":"schema violation (snis: a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7')","name":"schema violation","fields":{"snis":"a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7'"},"code":2}
W0118 04:23:53.454872       1 parser.go:1043] service demo/demo-c-service does not have any active endpoints
W0118 04:23:53.454942       1 parser.go:1043] service dev/dev-b-service does not have any active endpoints
W0118 04:23:53.455034       1 parser.go:1043] service dev/dev-a-service does not have any active endpoints
W0118 04:23:53.455209       1 parser.go:339] Deprecated KongCredential in use, please use secret-based credentials. KongCredential resource will be removed in future.
I0118 04:23:53.583069       1 kong.go:66] successfully synced configuration to Kong

Expected behavior

Steps To Reproduce

  1. Create multiple ingresses pointing to the same TLS secret with same hostname
  2. Use postgres database
  3. Scale down kong to 1 pod.
  4. Watch logs

Let’s follow along this conversation at https://github.com/Kong/kubernetes-ingress-controller/issues/510


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ