DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleanup examples directory

Browse source
This commit is contained in:
Manuel de Brito Fontes 2017-10-07 18:29:41 -03:00
parent 7ffa0ae265
commit 094e9ba6f9
103 changed files with 95 additions and 1557 deletions
Download patch file Download diff file Expand all files Collapse all files

0
examples/auth/basic/nginx/README.md → examples/auth/basic/README.md
View file

99
examples/auth/basic/haproxy/README.md
View file

@ -1,99 +0,0 @@
# HAProxy Ingress Basic Authentication
This example demonstrates how to configure
[Basic Authentication](https://tools.ietf.org/html/rfc2617) on
HAProxy Ingress controller.
## Prerequisites
This document has the following prerequisites:
* Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should
end up with controller, a sample web app and an ingress resource to the `foo.bar`
domain
## Using Basic Authentication
HAProxy Ingress read user and password from `auth` file stored on secrets, one user
and password per line. Secret name, realm and type are configured with annotations
in the ingress resource:
* `ingress.kubernetes.io/auth-type`: the only supported type is `basic`
* `ingress.kubernetes.io/auth-realm`: an optional string with authentication realm
* `ingress.kubernetes.io/auth-secret`: name of the secret
Each line of the `auth` file should have:
* user and insecure password separated with a pair of colons: `<username>::<plain-text-passwd>`; or
* user and an encrypted password separated with colons: `<username>:<encrypted-passwd>`
HAProxy evaluates encrypted passwords with
[crypt](http://man7.org/linux/man-pages/man3/crypt.3.html) function. Use `mkpasswd` or
`makepasswd` to create it. `mkpasswd` can be found on Alpine Linux container.
## Configure
Create a secret to our users:
* `john` and password `admin` using insecure plain text password
* `jane` and password `guest` using encrypted password
```console
$ mkpasswd -m des ## a short, des encryption, syntax from Busybox on Alpine Linux
Password: (type 'guest' and press Enter)
E5BrlrQ5IXYK2
$ cat >auth <<EOF
john::admin
jane:E5BrlrQ5IXYK2
EOF
$ kubectl create secret generic mypasswd --from-file auth
$ rm -fv auth
```
Annotate the ingress resource created on a [previous step](/examples/deployment/haproxy):
```console
$ kubectl annotate ingress/app \
ingress.kubernetes.io/auth-type=basic \
ingress.kubernetes.io/auth-realm="My Server" \
ingress.kubernetes.io/auth-secret=mypasswd
```
Test without user and password:
```console
$ curl -i 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="My Server"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
```
Send a valid user:
```console
$ curl -i -u 'john:admin' 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Sun, 05 Mar 2017 19:22:33 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
CLIENT VALUES:
client_address=10.2.18.5
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://foo.bar:8080/
```
Using `jane:guest` user/passwd should have the same output.

178
examples/auth/client-certs/haproxy/README.md
View file

@ -1,178 +0,0 @@
# HAProxy Ingress Client Certificate Authentication
This example demonstrates how to configure client certificate
authentication on HAProxy Ingress controller.
## Prerequisites
This document has the following prerequisites:
* Deploy [HAProxy Ingress](/examples/deployment/haproxy) controller, you should
end up with controller, a sample web app and an ingress resource named `app` to
the `foo.bar` domain
* Configure [TLS termination](/examples/tls-termination/haproxy)
* Create a [CA, certificate and private key](/examples/PREREQUISITES.md#ca-authentication),
following these steps you should have a secret named `caingress`, a certificate file
`client.crt` and it's private key `client.key`
* Use these same steps and create another CA and generate another certificate and private
key `fake.crt` and `fake.key` just for testing
Secret, certificates and keys can be created using these shortcuts:
CA and it's secret:
```console
$ openssl req -x509 -newkey rsa:2048 -nodes -subj '/CN=example-ca' -keyout ca.key -out ca.crt
$ kubectl create secret generic caingress --from-file=ca.crt
```
Valid certificate and private key:
```console
$ openssl req -new -newkey rsa:2048 -nodes -subj '/CN=client' -keyout client.key | \
openssl x509 -req -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt
```
Another CA, certificate and private key that should be refused by ingress:
```console
$ openssl req -x509 -newkey rsa:2048 -nodes -subj '/CN=example-ca' -keyout ca-fake.key -out ca-fake.crt
$ openssl req -new -newkey rsa:2048 -nodes -subj '/CN=client' -keyout fake.key | \
openssl x509 -req -CA ca-fake.crt -CAkey ca-fake.key -set_serial 1 -out fake.crt
```
## Using Client Certificate Authentication
HAProxy Ingress read one or a bundle of certificate authorities from a secret.
Only client certificates signed by one of these certificate authorities should be
allowed to make requests.
Annotate the ingress resource to use our valid certificate authority. The ingress resource and the
secret `caingress` were created on the prerequisites.
```console
$ kubectl annotate ingress/app ingress.kubernetes.io/auth-tls-secret=default/caingress
```
Make some SSL requests against domain `foo.bar`. Change `31692:172.17.4.99` below to the IP and
port of HAProxy Ingress controller.
Note: `curl`'s `--cert` and `-k` options on macOS (since 10.9 Mavericks) doesn't work as
expected, see troubleshooting below if using macOS.
Connect without a certificate:
```console
$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99'
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
```
Connect using the correct certificate and private key:
```console
$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99' --cert client.crt --key client.key
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Fri, 26 Mar 2017 13:41:26 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=15768000
CLIENT VALUES:
...
```
Now connect using a private key and certificate signed by another CA:
```console
$ curl -ik https://foo.bar:31692 --resolve 'foo.bar:31692:172.17.4.99' --cert fake.crt --key fake.key
curl: (35) error:1409441B:SSL routines:ssl3_read_bytes:tlsv1 alert decrypt error
```
## Troubleshooting
`curl` on macOS since 10.9 Mavericks has some issues regarding certificate on command line
parameters:
* [sni](https://en.wikipedia.org/wiki/Server_Name_Indication) TLS extension isn't used
if `-k` (unsecure connection) is provided. The sni extension is used by HAProxy to identify
the host of the request. Without sni, the default backend will be used. The TLS
certificate should be added to Keychain instead and `-k` should be avoided.
* `--cert` option is broken.
These issues and it's workarounds are described on
[this message](https://curl.haxx.se/mail/archive-2013-10/0036.html) from curl mailing list.
In short, in order to test client auth use a Linux VM or the options below on macOS.
### Using wget
Add `foo.bar` to `/etc/hosts` and change `31692` below to the
port of HAProxy Ingress controller:
```console
$ wget https://foo.bar:31692 -S -nv -O- --no-check-certificate
OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Unable to establish SSL connection.
```
Now with certificate and private key:
```console
$ wget https://foo.bar:31692 -S -nv -O- --no-check-certificate --certificate client.crt --private-key client.key
WARNING: cannot verify foo.bar's certificate, issued by /CN=foo.bar:
Self-signed certificate encountered.
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Sun, 26 Mar 2017 13:57:53 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=15768000
CLIENT VALUES:
```
### Using openssl
Change `31692` below to the port of HAProxy Ingress controller:
```console
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
CONNECTED(00000003)
depth=0 /CN=foo.bar
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=foo.bar
verify return:1
91929:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s3_pkt.c:1145:SSL alert number 40
91929:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185:
```
Now with certificate and private key - copy these two lines to the clipboard
(HAProxy will timeout after 5 seconds waiting a http request):
```
GET / HTTP/1.0
Host: foo.bar
```
Type the command below, paste the http request (two lines above) and send a blank line
pressing enter twice:
```console
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar -cert client.crt -key client.key
...
---
GET / HTTP/1.0
Host: foo.bar
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Sun, 26 Mar 2017 14:06:30 GMT
Content-Type: text/plain
Content-Length: 268
Connection: close
Strict-Transport-Security: max-age=15768000
CLIENT VALUES:
...
```

0
examples/auth/client-certs/nginx/nginx-tls-auth.yaml → examples/auth/client-certs/nginx-tls-auth.yaml
View file

89
examples/auth/client-certs/nginx/README.md
View file

@ -1,89 +0,0 @@
# TLS authentication
This example demonstrates how to enable the TLS Authentication through the nginx Ingress controller.
## Terminology
* CA: Certificate authority signing the client cert, in this example we will play the role of a CA.
You can generate a CA cert as shown in this doc.
* CA Certificate(s) - Certificate Authority public key. Client certs must chain back to this cert,
meaning the Issuer field of some certificate in the chain leading up to the client cert must contain
the name of this CA. For purposes of this example, this is a self signed certificate.
* CA chains: A chain of certificates where the parent has a Subject field matching the Issuer field of
the child, except for the root, which has Issuer == Subject.
* Client Cert: Certificate used by the clients to authenticate themselves with the loadbalancer/backends.
## Prerequisites
You need a valid CA File, composed of a group of valid enabled CAs. This MUST be in PEM Format.
The instructions are described [here](../../../PREREQUISITES.md)
Also your ingress must be configured as a HTTPS/TLS Ingress.
## Deployment
Certificate Authentication is achieved through 2 annotations on the Ingress, as shown in the [example](nginx-tls-auth.yaml).
|Name|Description|Values|
| --- | --- | --- |
|ingress.kubernetes.io/auth-tls-secret|Sets the secret that contains the authorized CA Chain|string|
|ingress.kubernetes.io/auth-tls-verify-depth|The verification depth Certificate Authentication will make|number (default to 1)|
|ingress.kubernetes.io/auth-tls-verify-client|Enables verification of client certificates|string (default to on)|
|ingress.kubernetes.io/auth-tls-error-page|The page that user should be redirected in case of Auth error|string (default to empty|
The following command instructs the controller to enable TLS authentication using the secret from the ``ingress.kubernetes.io/auth-tls-secret``
annotation on the Ingress. Clients must present this cert to the loadbalancer, or they will receive a HTTP 400 response
```console
$ kubectl create -f nginx-tls-auth.yaml
```
## Validation
You can confirm that the Ingress works.
```console
$ kubectl describe ing nginx-test
Name: nginx-test
Namespace: default
Address: 104.198.183.6
Default backend: default-http-backend:80 (10.180.0.4:8080,10.240.0.2:8080)
TLS: tls-secret terminates ingress.test.com
Rules:
Host Path Backends
---- ---- --------
*
http-svc:80 (<none>)
Annotations:
auth-tls-secret: default/caingress
auth-tls-verify-depth: 3
auth-tls-error-page: http://www.mysite.com/error-cert.html
Events:
FirstSeen LastSeen Count From SubObjectPath Type Reason Message
--------- -------- ----- ---- ------------- -------- ------ -------
7s 7s 1 {nginx-ingress-controller } Normal CREATE default/nginx-test
7s 7s 1 {nginx-ingress-controller } Normal UPDATE default/nginx-test
7s 7s 1 {nginx-ingress-controller } Normal CREATE ip: 104.198.183.6
7s 7s 1 {nginx-ingress-controller } Warning MAPPING Ingress rule 'default/nginx-test' contains no path definition. Assuming /
$ curl -k https://ingress.test.com
HTTP/1.1 400 Bad Request
Server: nginx/1.11.9
$ curl -I -k --key ~/user.key --cert ~/user.cer https://ingress.test.com
HTTP/1.1 200 OK
Server: nginx/1.11.9
```
You must use the full DNS name while testing, as NGINX relies on the Server Name (SNI) to select the correct Ingress to be used.
The curl version used here was ``curl 7.47.0``
## Which certificate was used for authentication?
In your backend application you might want to know which certificate was used for authentication.
For this purpose, we pass the full certificate in PEM format to the backend in the `ssl-client-cert` header.

0
examples/auth/external-auth/nginx/README.md → examples/auth/external-auth/README.md
View file

0
examples/auth/external-auth/nginx/ingress.yaml → examples/auth/external-auth/ingress.yaml
View file