SNI maps were incorrectly used to match requests on ancient versions of HAProxy Ingress - v0.4 or so. A separated group of match files were being used since then on TLS based authentication configurations. We don't need it anymore, since all the mTLS configurations don't depend on the maps, so we're now dropping its support. Moreover, having a distinct group of match files leads to misbehavior depending on the configurations: a host and path with lower priority should be chosen if the one with more priority is added in the sni maps.
There is one behavior change with this update: a missing or misconfigured host header, for an ingress with mTLS, with optional certificate, without sending a certificate, would fallback to SNI in order to try a match. Now, since only the host header is the source of truth, a non matching host header with a distinct SNI will 404 despite of its mTLS configuration.
jcmoraisjr
commented
1 month ago
SNI maps were incorrectly used to match requests on ancient versions of HAProxy Ingress - v0.4 or so. A separated group of match files were being used since then on TLS based authentication configurations. We don't need it anymore, since all the mTLS configurations don't depend on the maps, so we're now dropping its support. Moreover, having a distinct group of match files leads to misbehavior depending on the configurations: a host and path with lower priority should be chosen if the one with more priority is added in the sni maps.
There is one behavior change with this update: a missing or misconfigured host header, for an ingress with mTLS, with optional certificate, without sending a certificate, would fallback to SNI in order to try a match. Now, since only the host header is the source of truth, a non matching host header with a distinct SNI will 404 despite of its mTLS configuration.