Summary
Kong appears to have issues creating SNIs. Our ingresses are sharing the same host, we do path based routing.
Kong Ingress controller version
0.7.0 with postgres DB
Kong or Kong Enterprise version
1.4.3
Kubernetes version
v1.14.9-eks-c0eccc
Environment
- Cloud provider or hardware configuration : AWS
- OS (e.g. from /etc/os-release): AWS linux
-
Kernel (e.g.
uname -a
): n/a - Install tools : helm
- Others :
What happened
When below happens kong starts falling back to default localhost certificate, which makes TLS request fail. After 5-10 minutes, sometimes it recovers, only to then go into the same problem again.
Timing appears random, though i suspect it does it when it updates the configuration.
W0118 04:23:50.121945 1 parser.go:339] Deprecated KongCredential in use, please use secret-based credentials. KongCredential resource will be removed in future.
E0118 04:23:50.255044 1 controller.go:119] unexpected failure updating Kong configuration:
1 errors occurred:
while processing event: {Create} failed: 400 Bad Request {"message":"schema violation (snis: a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7')","name":"schema violation","fields":{"snis":"a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7'"},"code":2}
W0118 04:23:50.255072 1 queue.go:112] requeuing dev/dev-ops-tools-backend, err 1 errors occurred:
while processing event: {Create} failed: 400 Bad Request {"message":"schema violation (snis: a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7')","name":"schema violation","fields":{"snis":"a.domain.com already associated with existing certificate '11f9d5bf-2343-11ea-a792-0ed7c98255e7'"},"code":2}
W0118 04:23:53.454872 1 parser.go:1043] service demo/demo-c-service does not have any active endpoints
W0118 04:23:53.454942 1 parser.go:1043] service dev/dev-b-service does not have any active endpoints
W0118 04:23:53.455034 1 parser.go:1043] service dev/dev-a-service does not have any active endpoints
W0118 04:23:53.455209 1 parser.go:339] Deprecated KongCredential in use, please use secret-based credentials. KongCredential resource will be removed in future.
I0118 04:23:53.583069 1 kong.go:66] successfully synced configuration to Kong
Expected behavior
Steps To Reproduce
- Create multiple ingresses pointing to the same TLS secret with same hostname
- Use postgres database
- Scale down kong to 1 pod.
- Watch logs