ingress-nginx-helm/examples/auth/client-certs/index.html

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link href=https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/ rel=canonical><link rel="shortcut icon" href=../../../assets/images/favicon.png><meta name=generator content="mkdocs-1.1.2, mkdocs-material-6.2.4"><title>Client Certificate Authentication - NGINX Ingress Controller</title><link rel=stylesheet href=../../../assets/stylesheets/main.15aa0b43.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.75751829.min.css><meta name=theme-color content=#009485><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback"><style>body,input{font-family:"Roboto",-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono",SFMono-Regular,Consolas,Menlo,monospace}</style><link rel=stylesheet href=../../../extra.css><script>window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)},ga.l=+new Date,ga("create","UA-118407822-1","kubernetes.github.io"),ga("set","anonymizeIp",!0),ga("send","pageview"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){if(this.value){var e=document.location.pathname;ga("send","pageview",e+"?q="+this.value)}})}),document.addEventListener("DOMContentSwitch",function(){ga("send","pageview",document.location.pathname)})</script><script async src=https://www.google-analytics.com/analytics.js></script></head> <body dir=ltr data-md-color-scheme data-md-color-primary=teal data-md-color-accent=green> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#client-certificate-authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <header class=md-header data-md-component=header> <nav class="md-header-nav md-grid" aria-label=Header> <a href=https://kubernetes.github.io/ingress-nginx title="NGINX Ingress Controller" class="md-header-nav__button md-logo" aria-label="NGINX Ingress Controller"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg> </a> <label class="md-header-nav__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg> </label> <div class=md-header-nav__title data-md-component=header-title> <div class=md-header-nav__ellipsis> <div class=md-header-nav__topic> <span class=md-ellipsis> NGINX Ingress Controller </span> </div> <div class=md-header-nav__topic> <span class=md-ellipsis> Client Certificate Authentication </span> </div> </div> </div> <label class="md-header-nav__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query data-md-state=active required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.
</code></pre></div> <p>Then, you can concatenate them all in only one file, named 'ca.crt' as the following:</p> <div class=highlight><pre><span></span><code>cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</code></pre></div> <p><strong>Note:</strong> Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5 for each certificate generated. Otherwise you will receive an error.</p> <h2 id=creating-certificate-secrets>Creating Certificate Secrets<a class=headerlink href=#creating-certificate-secrets title="Permanent link"> ¶</a></h2> <p>There are many different ways of configuring your secrets to enable Client-Certificate Authentication to work properly.</p> <ol> <li> <p>You can create a secret containing just the CA certificate and another Secret containing the Server Certificate which is Signed by the CA.</p> <div class=highlight><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class=o>=</span>ca.crt<span class=o>=</span>ca.crt
kubectl create secret generic tls-secret --from-file<span class=o>=</span>tls.crt<span class=o>=</span>server.crt --from-file<span class=o>=</span>tls.key<span class=o>=</span>server.key
</code></pre></div> </li> <li> <p>You can create a secret containing CA certificate along with the Server Certificate, that can be used for both TLS and Client Auth.</p> <div class=highlight><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class=o>=</span>tls.crt<span class=o>=</span>server.crt --from-file<span class=o>=</span>tls.key<span class=o>=</span>server.key --from-file<span class=o>=</span>ca.crt<span class=o>=</span>ca.crt
</code></pre></div> </li> <li> <p>If you want to also enable Certificate Revocation List verification you can create the secret also containing the CRL file in PEM format: <div class=highlight><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class=o>=</span>ca.crt<span class=o>=</span>ca.crt --from-file<span class=o>=</span>ca.crl<span class=o>=</span>ca.crl
</code></pre></div></p> </li> </ol> <p>Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.</p> <h2 id=setup-instructions>Setup Instructions<a class=headerlink href=#setup-instructions title="Permanent link"> ¶</a></h2> <ol> <li>Add the annotations as provided in the <a href=ingress.yaml>ingress.yaml</a> example to your own ingress resources as required.</li> <li>Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400.</li> <li>Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200.</li> </ol> </article> </div> </div> </main> <footer class=md-footer> <div class=md-footer-nav> <nav class="md-footer-nav__inner md-grid" aria-label=Footer> <a href=../basic/ class="md-footer-nav__link md-footer-nav__link--prev" rel=prev> <div class="md-footer-nav__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg> </div> <div class=md-footer-nav__title> <div class=md-ellipsis> <span class=md-footer-nav__direction> Previous </span> Basic Authentication </div> </div> </a> <a href=../external-auth/ class="md-footer-nav__link md-footer-nav__link--next" rel=next> <div class=md-footer-nav__title> <div class=md-ellipsis> <span class=md-footer-nav__direction> Next </span> External Basic Authentication </div> </div> <div class="md-footer-nav__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg> </div> </a> </nav> </div> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-footer-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <script src=../../../assets/javascripts/vendor.93c04032.min.js></script> <script src=../../../assets/javascripts/bundle.83e5331e.min.js></script><script id=__lang type=application/json>{"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing"}</script> <script>
        app = initialize({
          base: "../../..",
          features: ['navigation.tabs', 'navigation.tabs.sticky', 'navigation.instant', 'navigation.sections'],
          search: Object.assign({
            worker: "../../../assets/javascripts/worker/search.8c7e0a7e.min.js"
          }, typeof search !== "undefined" && search)
        })
      </script> </body> </html>
Deploy GitHub Pages 2021-05-23 16:14:37 +00:00			<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link href=https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/ rel=canonical><link rel="shortcut icon" href=../../../assets/images/favicon.png><meta name=generator content="mkdocs-1.1.2, mkdocs-material-6.2.4"><title>Client Certificate Authentication - NGINX Ingress Controller</title><link rel=stylesheet href=../../../assets/stylesheets/main.15aa0b43.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.75751829.min.css><meta name=theme-color content=#009485><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,400,400i,700%7CRoboto+Mono&display=fallback"><style>body,input{font-family:"Roboto",-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif}code,kbd,pre{font-family:"Roboto Mono",SFMono-Regular,Consolas,Menlo,monospace}</style><link rel=stylesheet href=../../../extra.css><script>window.ga=window.ga\|\|function(){(ga.q=ga.q\|\|[]).push(arguments)},ga.l=+new Date,ga("create","UA-118407822-1","kubernetes.github.io"),ga("set","anonymizeIp",!0),ga("send","pageview"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){if(this.value){var e=document.location.pathname;ga("send","pageview",e+"?q="+this.value)}})}),document.addEventListener("DOMContentSwitch",function(){ga("send","pageview",document.location.pathname)})</script><script async src=https://www.google-analytics.com/analytics.js></script></head> <body dir=ltr data-md-color-scheme data-md-color-primary=teal data-md-color-accent=green> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#client-certificate-authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <header class=md-header data-md-component=header> <nav class="md-header-nav md-grid" aria-label=Header> <a href=https://kubernetes.github.io/ingress-nginx title="NGINX Ingress Controller" class="md-header-nav__button md-logo" aria-label="NGINX Ingress Controller"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 003-3 3 3 0 00-3-3 3 3 0 00-3 3 3 3 0 003 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54z"/></svg> </a> <label class="md-header-nav__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2z"/></svg> </label> <div class=md-header-nav__title data-md-component=header-title> <div class=md-header-nav__ellipsis> <div class=md-header-nav__topic> <span class=md-ellipsis> NGINX Ingress Controller </span> </div> <div class=md-header-nav__topic> <span class=md-ellipsis> Client Certificate Authentication </span> </div> </div> </div> <label class="md-header-nav__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 019.5 16 6.5 6.5 0 013 9.5 6.5 6.5 0 019.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5z"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query data-md-state=active required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0116 9.5c0 1.61-.59 3.09-1.56 4.23l.27.
Deploy GitHub Pages 2021-01-11 15:59:14 +00:00			`</code></pre></div> <p>Then, you can concatenate them all in only one file, named 'ca.crt' as the following:</p> <div class=highlight><pre><span></span><code>cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt`
			</code></pre></div> <p><strong>Note:</strong> Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5 for each certificate generated. Otherwise you will receive an error.</p> <h2 id=creating-certificate-secrets>Creating Certificate Secrets<a class=headerlink href=#creating-certificate-secrets title="Permanent link"> ¶</a></h2> <p>There are many different ways of configuring your secrets to enable Client-Certificate Authentication to work properly.</p> <ol> <li> <p>You can create a secret containing just the CA certificate and another Secret containing the Server Certificate which is Signed by the CA.</p> <div class=highlight><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class=o>=</span>ca.crt<span class=o>=</span>ca.crt
			`kubectl create secret generic tls-secret --from-file<span class=o>=</span>tls.crt<span class=o>=</span>server.crt --from-file<span class=o>=</span>tls.key<span class=o>=</span>server.key`
			`</code></pre></div> </li> <li> <p>You can create a secret containing CA certificate along with the Server Certificate, that can be used for both TLS and Client Auth.</p> <div class=highlight><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class=o>=</span>tls.crt<span class=o>=</span>server.crt --from-file<span class=o>=</span>tls.key<span class=o>=</span>server.key --from-file<span class=o>=</span>ca.crt<span class=o>=</span>ca.crt`
			`</code></pre></div> </li> <li> <p>If you want to also enable Certificate Revocation List verification you can create the secret also containing the CRL file in PEM format: <div class=highlight><pre><span></span><code>kubectl create secret generic ca-secret --from-file<span class=o>=</span>ca.crt<span class=o>=</span>ca.crt --from-file<span class=o>=</span>ca.crl<span class=o>=</span>ca.crl`
			</code></pre></div></p> </li> </ol> <p>Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.</p> <h2 id=setup-instructions>Setup Instructions<a class=headerlink href=#setup-instructions title="Permanent link"> ¶</a></h2> <ol> <li>Add the annotations as provided in the <a href=ingress.yaml>ingress.yaml</a> example to your own ingress resources as required.</li> <li>Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400.</li> <li>Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200.</li> </ol> </article> </div> </div> </main> <footer class=md-footer> <div class=md-footer-nav> <nav class="md-footer-nav__inner md-grid" aria-label=Footer> <a href=../basic/ class="md-footer-nav__link md-footer-nav__link--prev" rel=prev> <div class="md-footer-nav__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg> </div> <div class=md-footer-nav__title> <div class=md-ellipsis> <span class=md-footer-nav__direction> Previous </span> Basic Authentication </div> </div> </a> <a href=../external-auth/ class="md-footer-nav__link md-footer-nav__link--next" rel=next> <div class=md-footer-nav__title> <div class=md-ellipsis> <span class=md-footer-nav__direction> Next </span> External Basic Authentication </div> </div> <div class="md-footer-nav__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg> </div> </a> </nav> </div> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-footer-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <script src=../../../assets/javascripts/vendor.93c04032.min.js></script> <script src=../../../assets/javascripts/bundle.83e5331e.min.js></script><script id=__lang type=application/json>{"clipboard.copy": "Copy to clipboard", "clipboard.copied": "Copied to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.placeholder": "Type to start searching", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.term.missing": "Missing"}</script> <script>
Deploy GitHub Pages 2020-04-15 17:09:38 +00:00			`app = initialize({`
			`base: "../../..",`
Deploy GitHub Pages 2021-01-11 15:59:14 +00:00			`features: ['navigation.tabs', 'navigation.tabs.sticky', 'navigation.instant', 'navigation.sections'],`
Deploy GitHub Pages 2020-04-15 17:09:38 +00:00			`search: Object.assign({`
Deploy GitHub Pages 2021-01-11 15:59:14 +00:00			`worker: "../../../assets/javascripts/worker/search.8c7e0a7e.min.js"`
Deploy GitHub Pages 2020-04-15 17:09:38 +00:00			`}, typeof search !== "undefined" && search)`
			`})`
Deploy GitHub Pages 2021-01-11 15:59:14 +00:00			`</script> </body> </html>`