K
Q

Which Kubernetes ingress "wins" (tls and multiple ingresses for same host)?

3/25/2020

Assume I have have two ingresses ingress-a and ingress-b for the same host but with different paths:

ingress-a:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: app-a
  namespace: namespace-a
spec:
  rules:
  - host: myhost.com
    http:
      paths:
      - backend:
          serviceName: app-a
          servicePort: 8080
        path: /path-a
  tls:
  - hosts:
    - myhost.com
    secretName: tls-a

ingress-b:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: app-b
  namespace: namespace-b
spec:
  rules:
  - host: myhost.com
    http:
      paths:
      - backend:
          serviceName: app-b
          servicePort: 8080
        path: /path-b
  tls:
  - hosts:
    - myhost.com
    secretName: tls-b

Now I need to update the certificate. Assume I create the new secret in tls-new but only update ingress-a to point to that. Which of the two ingresses would win?

I guess I should simply overwrite the existing secret but I am trying to understand how the rules for ingresses would work in the above scenario where two different tls secrets are being referenced for the same host.

-- u123
kubernetes
kubernetes-ingress
ssl

Similar Questions

Ingress-Controller Deployment is failing
AKS load balancer health probe protocol changes when pod restarts
Fabric8 - get mutatingwebhookconfiguration
How to expose Kibana kubernetes service on an AWS EKS node in a private subnet using nginx-ingress?

1 Answer

3/25/2020

NGINX and NGINX Plus Ingress controller for Kubernetes has support for mergeable Ingress Types.

A Master is declared using nginx.org/mergeable-ingress-type: master. A Master will process all configurations at the host level, which includes the TLS configuration, and any annotations which will be applied for the complete host. There can only be one ingress resource on a unique host that contains the master value. Paths cannot be part of the ingress resource.

A Minion is declared using nginx.org/mergeable-ingress-type: minion. A Minion will be used to append different locations to an ingress resource with the Master value. TLS configurations are not allowed. Multiple minions can be applied per master as long as they do not have conflicting paths. If a conflicting path is present then the path defined on the oldest minion will be used.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-master
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "master"
spec:
  tls:
  - hosts:
    - cafe.example.com
    secretName: cafe-secret
  rules:
  - host: cafe.example.com

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress-coffee-minion
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/mergeable-ingress-type: "minion"
spec:
  rules:
  - host: cafe.example.com
    http:
      paths:
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

The minion can not have TLS, only the master can have TLS and you change TLS in master.

-- Arghya Sadhu
Source: StackOverflow