Background: customer wanted to use the same certificate for services in different namespaces as mTLS client certificate.
If we create multiple secrets with the same certificate-key pair, and use the secrets as client certificates via konghq.com/client-certificate, KIC will fail to apply the configuration and the error message will be empty so we cannot parse it.
declarative config is invalid: {}
This is because we will merge the certificates with the same content and only reserve one Kong certificate, but the client_certificate ID used in services are from the referred secret UID. So some of the services will refer to a non-exist certificate, which makes the Kong configuration invalid.
Expected Behavior
Both services can refer to the correct certificate in this scenario, or other ways to use the same certificates for services in different namespaces.
Steps To Reproduce
(1) Create 2 tls secrets with the same key-cert pair:
Is there an existing issue for this?
Current Behavior
Background: customer wanted to use the same certificate for services in different namespaces as mTLS client certificate.
If we create multiple secrets with the same certificate-key pair, and use the secrets as client certificates via
konghq.com/client-certificate
, KIC will fail to apply the configuration and the error message will be empty so we cannot parse it.This is because we will merge the certificates with the same content and only reserve one Kong certificate, but the
client_certificate
ID used in services are from the referred secret UID. So some of the services will refer to a non-exist certificate, which makes the Kong configuration invalid.Expected Behavior
Both services can refer to the correct certificate in this scenario, or other ways to use the same certificates for services in different namespaces.
Steps To Reproduce
(1) Create 2 tls secrets with the same key-cert pair:
(2) Create 2 services using the 2 secrets as client certificate, and 2 ingresses using them as backends:
Kong Ingress Controller version
2.12.3, but still exist in 3.2
Kubernetes version
Not relevant
Anything else?
No response