SNIs creation appears broken with 0.7.0 ingress controller

dcherniv · January 18, 2020, 4:25pm

Summary

Kong appears to have issues creating SNIs. Our ingresses are sharing the same host, we do path based routing.

Kong Ingress controller version
0.7.0 with postgres DB

Kong or Kong Enterprise version
1.4.3

Kubernetes version

v1.14.9-eks-c0eccc

Environment

Cloud provider or hardware configuration : AWS
OS (e.g. from /etc/os-release): AWS linux
Kernel (e.g. uname -a ): n/a
Install tools : helm
Others :

What happened

When below happens kong starts falling back to default localhost certificate, which makes TLS request fail. After 5-10 minutes, sometimes it recovers, only to then go into the same problem again.
Timing appears random, though i suspect it does it when it updates the configuration.

W0118 04:23:50.121945       1 parser.go:339] Deprecated KongCredential in use, please use secret-based credentials. KongCredential resource will be removed in future.
E0118 04:23:50.255044       1 controller.go:119] unexpected failure updating Kong configuration: 
1 errors occurred:
        while processing event: {Create} failed: 400 Bad Request {"message":"schema violation (snis: a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7')","name":"schema violation","fields":{"snis":"a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7'"},"code":2}
W0118 04:23:50.255072       1 queue.go:112] requeuing dev/dev-ops-tools-backend, err 1 errors occurred:
        while processing event: {Create} failed: 400 Bad Request {"message":"schema violation (snis: a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7')","name":"schema violation","fields":{"snis":"a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7'"},"code":2}
W0118 04:23:53.454872       1 parser.go:1043] service demo/demo-c-service does not have any active endpoints
W0118 04:23:53.454942       1 parser.go:1043] service dev/dev-b-service does not have any active endpoints
W0118 04:23:53.455034       1 parser.go:1043] service dev/dev-a-service does not have any active endpoints
W0118 04:23:53.455209       1 parser.go:339] Deprecated KongCredential in use, please use secret-based credentials. KongCredential resource will be removed in future.
I0118 04:23:53.583069       1 kong.go:66] successfully synced configuration to Kong

Expected behavior

Steps To Reproduce

Create multiple ingresses pointing to the same TLS secret with same hostname
Use postgres database
Scale down kong to 1 pod.
Watch logs

hbagdi · January 20, 2020, 5:50pm

Let’s follow along this conversation at https://github.com/Kong/kubernetes-ingress-controller/issues/510

Topic		Replies	Views
Custom SSL Certs not working Installation/Setup	4	1851	March 1, 2019
Local certificates with db less Kong Kubernetes	2	820	November 1, 2019
Kong Ingress Controller Default certificate Kubernetes	2	807	January 8, 2022
Intermittently receive "not secure" message and missing TLS padlock in the browser	1	436	March 30, 2021
Kubernetes Ingress Controller , AWS Certificate , gives 400 bad resposne error Kubernetes	1	1267	August 11, 2020