ingress-nginx-helm/examples/auth/client-certs/index.html

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link href=https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/ rel=canonical><link href=../basic/ rel=prev><link href=../external-auth/ rel=next><link rel=icon href=../../../assets/images/favicon.png><meta name=generator content="mkdocs-1.5.3, mkdocs-material-9.4.5"><title>Client Certificate Authentication - Ingress-Nginx Controller</title><link rel=stylesheet href=../../../assets/stylesheets/main.6a10b989.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.356b1318.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><link rel=stylesheet href=../../../extra.css><script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=teal data-md-color-accent=green> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#client-certificate-authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <header class="md-header md-header--shadow md-header--lifted" data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../../.. title="Ingress-Nginx Controller" class="md-header__button md-logo" aria-label="Ingress-Nginx Controller" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Ingress-Nginx Controller </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Client Certificate Authentication </span> </div> </div> </div> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class=md-search_
</code></pre></div> <ul> <li>Generate the Server Key, and Certificate and Sign with the CA Certificate:</li> </ul> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>req<span class=w> </span>-new<span class=w> </span>-newkey<span class=w> </span>rsa:4096<span class=w> </span>-keyout<span class=w> </span>server-key.der<span class=w> </span>-out<span class=w> </span>server.csr<span class=w> </span>-nodes<span class=w> </span>-subj<span class=w> </span><span class=s1>&#39;/CN=mydomain.com&#39;</span>
openssl<span class=w> </span>x509<span class=w> </span>-req<span class=w> </span>-sha256<span class=w> </span>-days<span class=w> </span><span class=m>365</span><span class=w> </span>-in<span class=w> </span>server.csr<span class=w> </span>-CA<span class=w> </span>ca-cert.der<span class=w> </span>-CAkey<span class=w> </span>ca-key.der<span class=w> </span>-set_serial<span class=w> </span><span class=m>01</span><span class=w> </span>-out<span class=w> </span>server-cert.der
</code></pre></div> <p><img alt=📝 class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/1f4dd.svg title=:memo:> The CN (Common Name) x.509 attribute for the server Certificate <strong><em>must</em></strong> match the dns hostname referenced in ingress definition, see example below.</p> <ul> <li>Generate the Client Key, and Certificate and Sign with the CA Certificate:</li> </ul> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>req<span class=w> </span>-new<span class=w> </span>-newkey<span class=w> </span>rsa:4096<span class=w> </span>-keyout<span class=w> </span>client-key.der<span class=w> </span>-out<span class=w> </span>client.csr<span class=w> </span>-nodes<span class=w> </span>-subj<span class=w> </span><span class=s1>&#39;/CN=My Client&#39;</span>
openssl<span class=w> </span>x509<span class=w> </span>-req<span class=w> </span>-sha256<span class=w> </span>-days<span class=w> </span><span class=m>365</span><span class=w> </span>-in<span class=w> </span>client.csr<span class=w> </span>-CA<span class=w> </span>ca-cert.der<span class=w> </span>-CAkey<span class=w> </span>ca-key.der<span class=w> </span>-set_serial<span class=w> </span><span class=m>02</span><span class=w> </span>-out<span class=w> </span>client-cert.der
</code></pre></div> <h2 id=2-import-certificates-keys-to-kubernetes-secret-backend>2. Import Certificates / Keys to Kubernetes Secret-Backend<a class=headerlink href=#2-import-certificates-keys-to-kubernetes-secret-backend title="Permanent link"> ¶</a></h2> <ul> <li>Convert all files specified in 1) from .der (binary format) to .pem (base64 encoded):</li> </ul> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>x509<span class=w> </span>-in<span class=w> </span>certificate.der<span class=w> </span>-inform<span class=w> </span>der<span class=w> </span>-out<span class=w> </span>certificate.crt<span class=w> </span>-outform<span class=w> </span>pem
</code></pre></div> <p><img alt=❗ class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/2757.svg title=:exclamation:> Kubernetes Web-Services import relies on .pem Base64-encoded format.</p> <p><img alt=⚡ class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/26a1.svg title=:zap:> There is no need to import the CA Private Key, the Private Key is used only to sign new Client Certificates by the CA.</p> <ul> <li>Import the CA Certificate as Kubernetes sub-type <code>generic/ca.crt</code></li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>generic<span class=w> </span>ca-secret<span class=w> </span>--from-file<span class=o>=</span>ca.crt<span class=o>=</span>./ca-cert.pem
</code></pre></div> <ul> <li>Import the Server Certificate and Key as Kubernetes sub-type <code>tls</code> for transport layer</li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>tls<span class=w> </span>tls-secret<span class=w> </span>--cert<span class=w> </span>./server-cert.pem<span class=w> </span>--key<span class=w> </span>./server-key.pem
</code></pre></div> <ul> <li>Optional import CA-cert, Server-cert and Server-Key for TLS and Client-Auth</li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>generic<span class=w> </span>tls-and-auth<span class=w> </span>--from-file<span class=o>=</span>tls.crt<span class=o>=</span>./server-crt.pem<span class=w> </span>--from-file<span class=o>=</span>tls.key<span class=o>=</span>./server-key.pem<span class=w> </span>--from-file<span class=o>=</span>ca.crt<span class=o>=</span>./ca-cert.pem
</code></pre></div> <ul> <li>Optional import a CRL (Certificate Revocation List)</li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>generic<span class=w> </span>ca-secret<span class=w> </span>--from-file<span class=o>=</span>ca.crt<span class=o>=</span>./ca-cert.pem<span class=w> </span>--from-file<span class=o>=</span>ca.crl<span class=o>=</span>./ca-crl.pem
</code></pre></div> <h2 id=3-annotations-ingress-reference>3. Annotations / Ingress-Reference<a class=headerlink href=#3-annotations-ingress-reference title="Permanent link"> ¶</a></h2> <p>Now we are able to reference the created secrets in the ingress definition.</p> <p><img alt=📝 class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/1f4dd.svg title=:memo:> The CA Certificate "authentication" will be reference in annotations.</p> <table> <thead> <tr> <th>Annotation</th> <th>Description</th> <th>Remark</th> </tr> </thead> <tbody> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"</td> <td>Activate Client-Auth</td> <td>If "on", verify client Certificate</td> </tr> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-secret: "namespace/ca-secret"</td> <td>CA "secret" reference</td> <td>Secret namespace and service / ingress namespace must match</td> </tr> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"</td> <td>CA "chain" depth</td> <td>How many CA levels should be processed</td> </tr> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"</td> <td>Pass Cert / Header</td> <td>Pass Certificate to Web-App for e.g. parsing Client E-Mail Address x.509 Property</td> </tr> </tbody> </table> <p><img alt=📝 class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/1f4dd.svg title=:memo:> The Server Certificate for transport layer will be referenced in tls .yaml subsection.</p> <div class=highlight><pre><span></span><code><span class=nt>tls</span><span class=p>:</span>
<span class=w>  </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>hosts</span><span class=p>:</span>
<span class=w>    </span><span class="p p-Indicator">-</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">mydomain.com</span>
<span class=w>    </span><span class=nt>secretName</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">tls-secret</span>
</code></pre></div> <h2 id=4-example-test>4. Example / Test<a class=headerlink href=#4-example-test title="Permanent link"> ¶</a></h2> <p>The working .yaml Example: <a href=ingress.yaml>ingress.yaml</a></p> <ul> <li>Test by performing a curl / wget against the Ingress Path without the Client Cert and expect a Status Code 400 (Bad Request - No required SSL certificate was sent).</li> <li>Test by performing a curl / wget against the Ingress Path with the Client Cert and expect a Status Code 200.</li> </ul> <div class=highlight><pre><span></span><code>wget<span class=w> </span><span class=se>\</span>
--ca-cert<span class=o>=</span>ca-cert.pem<span class=w> </span><span class=se>\</span>
--certificate<span class=o>=</span>client-cert.pem<span class=w> </span><span class=se>\</span>
--private-key<span class=o>=</span>client-key.pem<span class=w> </span><span class=se>\</span>
https://mydomain.com
</code></pre></div> <h2 id=5-remarks>5. Remarks<a class=headerlink href=#5-remarks title="Permanent link"> ¶</a></h2> <table> <thead> <tr> <th><img alt=❗ class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/2757.svg title=:exclamation:> In future releases, CN verification seems to be "replaced" by SAN (Subject Alternate Name) for verrification, so do not forget to add</th> </tr> </thead> <tbody> <tr> <td></td> </tr> </tbody> </table> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>req<span class=w> </span>-addext<span class=w> </span><span class=s2>&quot;subjectAltName = DNS:mydomain.com&quot;</span><span class=w> </span>...
</code></pre></div> </article> </div> </div> </main> <footer class=md-footer> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "../../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.instant", "navigation.sections"], "search": "../../../assets/javascripts/workers/search.f886a092.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script> <script src=../../../assets/javascripts/bundle.aecac24b.min.js></script> </body> </html>
Deploy GitHub Pages 2023-12-21 09:55:48 +00:00			<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link href=https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/ rel=canonical><link href=../basic/ rel=prev><link href=../external-auth/ rel=next><link rel=icon href=../../../assets/images/favicon.png><meta name=generator content="mkdocs-1.5.3, mkdocs-material-9.4.5"><title>Client Certificate Authentication - Ingress-Nginx Controller</title><link rel=stylesheet href=../../../assets/stylesheets/main.6a10b989.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.356b1318.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><link rel=stylesheet href=../../../extra.css><script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=teal data-md-color-accent=green> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#client-certificate-authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <header class="md-header md-header--shadow md-header--lifted" data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../../.. title="Ingress-Nginx Controller" class="md-header__button md-logo" aria-label="Ingress-Nginx Controller" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Ingress-Nginx Controller </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Client Certificate Authentication </span> </div> </div> </div> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class=md-search_
Deploy GitHub Pages 2023-12-09 19:31:42 +00:00			</code></pre></div> <ul> <li>Generate the Server Key, and Certificate and Sign with the CA Certificate:</li> </ul> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>req<span class=w> </span>-new<span class=w> </span>-newkey<span class=w> </span>rsa:4096<span class=w> </span>-keyout<span class=w> </span>server-key.der<span class=w> </span>-out<span class=w> </span>server.csr<span class=w> </span>-nodes<span class=w> </span>-subj<span class=w> </span><span class=s1>'/CN=mydomain.com'</span>
			`openssl<span class=w> </span>x509<span class=w> </span>-req<span class=w> </span>-sha256<span class=w> </span>-days<span class=w> </span><span class=m>365</span><span class=w> </span>-in<span class=w> </span>server.csr<span class=w> </span>-CA<span class=w> </span>ca-cert.der<span class=w> </span>-CAkey<span class=w> </span>ca-key.der<span class=w> </span>-set_serial<span class=w> </span><span class=m>01</span><span class=w> </span>-out<span class=w> </span>server-cert.der`
			</code></pre></div> <p><img alt=📝 class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/1f4dd.svg title=:memo:> The CN (Common Name) x.509 attribute for the server Certificate <strong><em>must</em></strong> match the dns hostname referenced in ingress definition, see example below.</p> <ul> <li>Generate the Client Key, and Certificate and Sign with the CA Certificate:</li> </ul> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>req<span class=w> </span>-new<span class=w> </span>-newkey<span class=w> </span>rsa:4096<span class=w> </span>-keyout<span class=w> </span>client-key.der<span class=w> </span>-out<span class=w> </span>client.csr<span class=w> </span>-nodes<span class=w> </span>-subj<span class=w> </span><span class=s1>'/CN=My Client'</span>
			`openssl<span class=w> </span>x509<span class=w> </span>-req<span class=w> </span>-sha256<span class=w> </span>-days<span class=w> </span><span class=m>365</span><span class=w> </span>-in<span class=w> </span>client.csr<span class=w> </span>-CA<span class=w> </span>ca-cert.der<span class=w> </span>-CAkey<span class=w> </span>ca-key.der<span class=w> </span>-set_serial<span class=w> </span><span class=m>02</span><span class=w> </span>-out<span class=w> </span>client-cert.der`
			</code></pre></div> <h2 id=2-import-certificates-keys-to-kubernetes-secret-backend>2. Import Certificates / Keys to Kubernetes Secret-Backend<a class=headerlink href=#2-import-certificates-keys-to-kubernetes-secret-backend title="Permanent link"> ¶</a></h2> <ul> <li>Convert all files specified in 1) from .der (binary format) to .pem (base64 encoded):</li> </ul> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>x509<span class=w> </span>-in<span class=w> </span>certificate.der<span class=w> </span>-inform<span class=w> </span>der<span class=w> </span>-out<span class=w> </span>certificate.crt<span class=w> </span>-outform<span class=w> </span>pem
			</code></pre></div> <p><img alt=❗ class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/2757.svg title=:exclamation:> Kubernetes Web-Services import relies on .pem Base64-encoded format.</p> <p><img alt=⚡ class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/26a1.svg title=:zap:> There is no need to import the CA Private Key, the Private Key is used only to sign new Client Certificates by the CA.</p> <ul> <li>Import the CA Certificate as Kubernetes sub-type <code>generic/ca.crt</code></li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>generic<span class=w> </span>ca-secret<span class=w> </span>--from-file<span class=o>=</span>ca.crt<span class=o>=</span>./ca-cert.pem
			`</code></pre></div> <ul> <li>Import the Server Certificate and Key as Kubernetes sub-type <code>tls</code> for transport layer</li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>tls<span class=w> </span>tls-secret<span class=w> </span>--cert<span class=w> </span>./server-cert.pem<span class=w> </span>--key<span class=w> </span>./server-key.pem`
			</code></pre></div> <ul> <li>Optional import CA-cert, Server-cert and Server-Key for TLS and Client-Auth</li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>generic<span class=w> </span>tls-and-auth<span class=w> </span>--from-file<span class=o>=</span>tls.crt<span class=o>=</span>./server-crt.pem<span class=w> </span>--from-file<span class=o>=</span>tls.key<span class=o>=</span>./server-key.pem<span class=w> </span>--from-file<span class=o>=</span>ca.crt<span class=o>=</span>./ca-cert.pem
			`</code></pre></div> <ul> <li>Optional import a CRL (Certificate Revocation List)</li> </ul> <div class=highlight><pre><span></span><code>kubectl<span class=w> </span>create<span class=w> </span>secret<span class=w> </span>generic<span class=w> </span>ca-secret<span class=w> </span>--from-file<span class=o>=</span>ca.crt<span class=o>=</span>./ca-cert.pem<span class=w> </span>--from-file<span class=o>=</span>ca.crl<span class=o>=</span>./ca-crl.pem`
			</code></pre></div> <h2 id=3-annotations-ingress-reference>3. Annotations / Ingress-Reference<a class=headerlink href=#3-annotations-ingress-reference title="Permanent link"> ¶</a></h2> <p>Now we are able to reference the created secrets in the ingress definition.</p> <p><img alt=📝 class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/1f4dd.svg title=:memo:> The CA Certificate "authentication" will be reference in annotations.</p> <table> <thead> <tr> <th>Annotation</th> <th>Description</th> <th>Remark</th> </tr> </thead> <tbody> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"</td> <td>Activate Client-Auth</td> <td>If "on", verify client Certificate</td> </tr> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-secret: "namespace/ca-secret"</td> <td>CA "secret" reference</td> <td>Secret namespace and service / ingress namespace must match</td> </tr> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"</td> <td>CA "chain" depth</td> <td>How many CA levels should be processed</td> </tr> <tr> <td>nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"</td> <td>Pass Cert / Header</td> <td>Pass Certificate to Web-App for e.g. parsing Client E-Mail Address x.509 Property</td> </tr> </tbody> </table> <p><img alt=📝 class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/1f4dd.svg title=:memo:> The Server Certificate for transport layer will be referenced in tls .yaml subsection.</p> <div class=highlight><pre><span></span><code><span class=nt>tls</span><span class=p>:</span>
			`<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>hosts</span><span class=p>:</span>`
			`<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">mydomain.com</span>`
			`<span class=w> </span><span class=nt>secretName</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">tls-secret</span>`
			</code></pre></div> <h2 id=4-example-test>4. Example / Test<a class=headerlink href=#4-example-test title="Permanent link"> ¶</a></h2> <p>The working .yaml Example: <a href=ingress.yaml>ingress.yaml</a></p> <ul> <li>Test by performing a curl / wget against the Ingress Path without the Client Cert and expect a Status Code 400 (Bad Request - No required SSL certificate was sent).</li> <li>Test by performing a curl / wget against the Ingress Path with the Client Cert and expect a Status Code 200.</li> </ul> <div class=highlight><pre><span></span><code>wget<span class=w> </span><span class=se>\</span>
			`--ca-cert<span class=o>=</span>ca-cert.pem<span class=w> </span><span class=se>\</span>`
			`--certificate<span class=o>=</span>client-cert.pem<span class=w> </span><span class=se>\</span>`
			`--private-key<span class=o>=</span>client-key.pem<span class=w> </span><span class=se>\</span>`
			`https://mydomain.com`
			</code></pre></div> <h2 id=5-remarks>5. Remarks<a class=headerlink href=#5-remarks title="Permanent link"> ¶</a></h2> <table> <thead> <tr> <th><img alt=❗ class=twemoji src=https://cdn.jsdelivr.net/gh/jdecked/twemoji@14.1.2/assets/svg/2757.svg title=:exclamation:> In future releases, CN verification seems to be "replaced" by SAN (Subject Alternate Name) for verrification, so do not forget to add</th> </tr> </thead> <tbody> <tr> <td></td> </tr> </tbody> </table> <div class=highlight><pre><span></span><code>openssl<span class=w> </span>req<span class=w> </span>-addext<span class=w> </span><span class=s2>"subjectAltName = DNS:mydomain.com"</span><span class=w> </span>...
			</code></pre></div> </article> </div> </div> </main> <footer class=md-footer> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "../../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.instant", "navigation.sections"], "search": "../../../assets/javascripts/workers/search.f886a092.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script> <script src=../../../assets/javascripts/bundle.aecac24b.min.js></script> </body> </html>