Cherry-pick branch 'rm/known-limitations-doc' into 'release/4.1'

rjeberhard · rjeberhard · commit 76089ff3a4f1 · 2023-12-14T23:18:23.000Z
diff --git a/documentation/site/content/_index.md b/documentation/site/content/_index.md
@@ -39,7 +39,7 @@ See the [operator prerequisites]({{< relref "/introduction/prerequisites/introdu
 
 #### Recent changes and known issues
 
-See the Release Notes for recent changes to the operator and known issues.
+See the [Release Notes](https://github.com/oracle/weblogic-kubernetes-operator/releases) for recent changes to the operator and [Known Limitations]({{< relref "/known-limitations/_index.md" >}}) for the current set of known issues.
 
 #### Operator earlier versions
 
diff --git a/documentation/site/content/known-limitations/_index.md b/documentation/site/content/known-limitations/_index.md
@@ -0,0 +1,70 @@
+---
+title: "Known limitations"
+date: 2019-02-23T08:14:59-05:00
+weight: 12
+draft: false
+---
+
+The following sections describe known limitations for WebLogic Kubernetes Operator. Each issue may contain a workaround or an associated issue number.
+
+#### NGINX SSL passthrough ingress service does not work with Kubernetes headless service
+
+**ISSUE**:
+When installing NGINX ingress controller with SSL passthrough enabled `--set "controller.extraArgs.enable-ssl-passthrough=true"`, any ingress rule created subsequently, using SSL passthrough to the individual server service, will fail.   
+
+```
+$ kubectl -n nginx get services
+NAME                                                TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)                      AGE
+nginx-operator-ingress-nginx-controller-admission   ClusterIP      10.43.234.82    <none>          443/TCP                      3m3s
+nginx-operator-ingress-nginx-controller             LoadBalancer   10.43.193.149   192.168.106.2   80:32315/TCP,443:31710/TCP   3m3s
+```
+
+For example, after creating the domain, the operator creates a headless Kubernetes service for each server and a headed service for the cluster.  The individual service for each server is headless as the `CLUSTER-IP` is `None`;  the cluster service is headed as the `CLUSTER-IP` has a valid IP address.
+
+```
+$ kubectl -n sample-domain1-ns get services
+NAME                                 TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)             AGE
+sample-domain1-admin-server          ClusterIP   None            <none>        7001/TCP,7002/TCP   23h
+sample-domain1-cluster-cluster-1     ClusterIP   10.43.108.163   <none>        8001/TCP,7002/TCP   23h
+sample-domain1-managed-server1       ClusterIP   None            <none>        8001/TCP,7002/TCP   23h
+```
+
+If you create a passthrough ingress rule to use SSL passthrough to access the admin server, for example:
+
+```
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: console-ssl-passthru
+  namespace: sample-domain1-ns
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-passthrough: 'true'
+spec:
+  ingressClassName: nginx
+  rules:
+    - http:
+        paths:
+          - backend:
+              service:
+                name: sample-domain1-admin-server
+                port:
+                  number: 7002
+            path: /
+            pathType: Prefix
+      host: localk8s.com
+```
+
+Accessing the WebLogic Console on the admin server, through the ingress controller, will result in an error.
+
+```
+curl -k -v -L https://localk8s.com:31710/console
+*   Trying 192.168.106.2:31710...
+* Connected to localk8s.com (192.168.106.2) port 31710 (#0)
+* ALPN: offers h2,http/1.1
+* (304) (OUT), TLS handshake, Client hello (1):
+* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localk8s.com:31710
+* Closing connection 0
+curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localk8s.com:31710
+```
+
+This is currently reported as an NGINX bug in https://github.com/kubernetes/ingress-nginx/issues/1718
diff --git a/documentation/site/content/managing-domains/accessing-the-domain/ingress/_index.md b/documentation/site/content/managing-domains/accessing-the-domain/ingress/_index.md
@@ -74,3 +74,7 @@ Information about how to install and configure these ingress controllers to load
  {{% /notice %}}
 
 Samples are also provided for the Traefik ingress controller, showing how to manage multiple WebLogic clusters as the backends, using different routing rules, host-routing and path-routing; and TLS termination: [Traefik samples](https://github.com/oracle/weblogic-kubernetes-operator/blob/{{< latestMinorVersion >}}/kubernetes/samples/charts/traefik/samples).
+
+{{% notice info %}}
+**NOTE** the following [Known Limitation]({{< relref "/known-limitations#nginx-ssl-passthrough-ingress-service-does-not-work-with-kubernetes-headless-service" >}}), NGINX SSL passthrough ingress service does not work with Kubernetes headless service.
+{{% /notice %}}
