Issue with multiple domains and SSL certificates when using ingress-gce #466
Description
I am exposing a micro service running on GCP's kubernetes engine via Google's Ingress load balancer. According to [Here] the load balancer supports multiple SSL certificates for different domain names via SNI lookup.
However, only the first specified SSL certificate is returned and therefore I receive a Your connection is not private warning for a domain-b. I would love to make an ingress controller for several domains each with their own certificate.
My investigation shows that always the first specified SSL certificate is returned as the server certificate while performing the TLS handshake. (In the example below always certificate domain-a-net would be returned.
I verified that assumption as proposed in Here by calling the different domains with curl -k -v <domain_name>. Changing the order of the tls hosts will return a different certificate.
I tested it with two different ingress.yaml formats:
Version 1:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: some-name
spec:
tls:
- hosts:
- www.domain-a.net
- domain-a.net
secretName: domain-a-net
- hosts:
- www.domain-b.org
- domain-b.org
secretName: domain-b-org
backend:
serviceName: some-name
servicePort: 443
Version 2:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress
spec:
rules:
- host: domain-a.net
http:
paths:
- path: /*
backend:
serviceName: some-name
servicePort: 443
- host: www.domain-a.net
http:
paths:
- path: /*
backend:
serviceName: some-name
servicePort: 443
- host: www.domain-b.org
http:
paths:
- path: /*
backend:
serviceName: some-name
servicePort: 443
- host: domain-b.org
http:
paths:
- path: /*
backend:
serviceName: some-name
servicePort: 443
tls:
- hosts:
- www.domain-a.net
- domain-a.net
secretName: domain-a-net
- hosts:
- www.domain-b.net
- domain-b.net
secretName: domain-b-net
Thanks for taking a look into that issue.