ingress.kubernetes.io/secure-verify-ca-secret annotation not working for nginx 0.12.0

[stanltam]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):

NGINX Ingress controller version:

Kubernetes version (use kubectl version):
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.0+icp-ee", GitCommit:"9cb64de4ca4d039c35f4a29721aa5cf787648a15", GitTreeState:"clean", BuildDate:"2018-04-27T06:32:18Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration:IBM ICP
• OS (e.g. from /etc/os-release): Ubuntu
• Kernel (e.g. uname -a):
  Linux devops-sfs-uat 4.4.0-116-generic proposal: application health check #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
• Install tools:
  helm chart
• Others:

What happened:
I want to have ingress controller to verify the certificate of upstream is trusted or not.
As suggested from https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#secure-backends, i tried to use ingress.kubernetes.io/secure-verify-ca-secret annotation, but I found that there is no changes in nginx.conf in the controller pod and so no effect ....

Please find the attached nginx conf and ingress yaml

Issue.zip

What you expected to happen:
The ingress.kubernetes.io/secure-verify-ca-secret annotation will take effect and will check the upstream certificate

How to reproduce it (as minimally and precisely as possible):

Create the ingress using the yaml provided

Anything else we need to know:

[aledbf]

@stanltam please check the flags in the ingress controller deployment. If you have something like --annotations-prefix=nginx.ingress.kubernetes.io then you need to add nginx. as prefix

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[aledbf]

Closing. Please update to the latest release and reopen if the issue persists

[sebastianblunt]

Hi, I've noticed the same thing. On version 0.24.1 (but looking at the code, there doesn't seem to have been any changes to it in 0.25, I'd still be happy to try on 0.25 if requested.)

Basically specifying a secret in secure-verify-ca-secret does not appear to make any difference at all except a log

nginx-ingress-controller-76dfb6bd8-nh486 nginx-ingress-controller I0801 00:51:49.410703       6 backend_ssl.go:60] Updating Secret "dev/ingress-test" in the local store

Specifying any certificate in the secure-verify-ca-secret annotation and then having the same backend serve up a completely different (self-signed) certificate does not lead to any errors at all.

The now-deleted documentation said

Note that if an invalid or non-existent secret is given,
the ingress controller will ignore the `secure-backends` annotation.

Not sure what an invalid secret might look like, I've been using kubectl create secret tls ingress-test --key ... --cert ...

I am confident my annotation prefix is correct, as changing other annotations (e.g. auth-realm) behaves correctly.

Any ideas? Should I open a new ticket?