DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2018-12-18 21:16:16 +00:00
parent d75367b4e8
commit 4de80b6e8c
15 changed files with 296 additions and 399 deletions
Download patch file Download diff file Expand all files Collapse all files

156
examples/PREREQUISITES/index.html
View file

@ -801,37 +801,10 @@
</li>
<li class="md-nav__item">
<a href="#ca-authentication" title="CA Authentication" class="md-nav__link">
CA Authentication
<a href="#client-certificate-authentication" title="Client Certificate Authentication" class="md-nav__link">
Client Certificate Authentication
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-a-ca" title="Generating a CA" class="md-nav__link">
Generating a CA
</a>
</li>
<li class="md-nav__item">
<a href="#generating-the-client-certificate" title="Generating the client certificate" class="md-nav__link">
Generating the client certificate
</a>
</li>
<li class="md-nav__item">
<a href="#creating-the-ca-authentication-secret" title="Creating the CA Authentication secret" class="md-nav__link">
Creating the CA Authentication secret
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
@ -1149,37 +1122,10 @@
</li>
<li class="md-nav__item">
<a href="#ca-authentication" title="CA Authentication" class="md-nav__link">
CA Authentication
<a href="#client-certificate-authentication" title="Client Certificate Authentication" class="md-nav__link">
Client Certificate Authentication
</a>
<nav class="md-nav">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#generating-a-ca" title="Generating a CA" class="md-nav__link">
Generating a CA
</a>
</li>
<li class="md-nav__item">
<a href="#generating-the-client-certificate" title="Generating the client certificate" class="md-nav__link">
Generating the client certificate
</a>
</li>
<li class="md-nav__item">
<a href="#creating-the-ca-authentication-secret" title="Creating the CA Authentication secret" class="md-nav__link">
Creating the CA Authentication secret
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
@ -1213,7 +1159,7 @@
<h2 id="tls-certificates">TLS certificates<a class="headerlink" href="#tls-certificates" title="Permanent link">&para;</a></h2>
<p>Unless otherwise mentioned, the TLS secret used in examples is a 2048 bit RSA
key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl req -x509 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj <span class="s2">&quot;/CN=nginxsvc/O=nginxsvc&quot;</span>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl req -x509 -sha256 -nodes -days <span class="m">365</span> -newkey rsa:2048 -keyout tls.key -out tls.crt -subj <span class="s2">&quot;/CN=nginxsvc/O=nginxsvc&quot;</span>
<span class="go">Generating a 2048 bit RSA private key</span>
<span class="go">................+++</span>
<span class="go">................+++</span>
@ -1224,81 +1170,23 @@ key/cert pair with an arbitrarily chosen hostname, created as follows</p>
<span class="go">secret &quot;tls-secret&quot; created</span>
</pre></div>
<h2 id="ca-authentication">CA Authentication<a class="headerlink" href="#ca-authentication" title="Permanent link">&para;</a></h2>
<p>You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our
own CA, and also generate a client certificate.</p>
<p>These instructions are based on CoreOS OpenSSL. <a href="https://coreos.com/kubernetes/docs/latest/openssl.html">See live doc.</a></p>
<h3 id="generating-a-ca">Generating a CA<a class="headerlink" href="#generating-a-ca" title="Permanent link">&para;</a></h3>
<p>First of all, you've to generate a CA. This is going to be the one who will sign your client certificates.
In real production world, you may face CAs with intermediate certificates, as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl s_client -connect www.google.com:443
<span class="go">[...]</span>
<span class="go">---</span>
<span class="go">Certificate chain</span>
<span class="go"> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com</span>
<span class="go"> i:/C=US/O=Google Inc/CN=Google Internet Authority G2</span>
<span class="go"> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2</span>
<span class="go"> i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA</span>
<span class="go"> 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA</span>
<span class="go"> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority</span>
</pre></div>
<p>To generate our CA Certificate, we've to run the following commands:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out ca.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -x509 -new -nodes -key ca.key -days <span class="m">10000</span> -out ca.crt -subj <span class="s2">&quot;/CN=example-ca&quot;</span>
</pre></div>
<p>This will generate two files: A private key (ca.key) and a public key (ca.crt). This CA is valid for 10000 days.
The ca.crt can be used later in the step of creation of CA authentication secret.</p>
<h3 id="generating-the-client-certificate">Generating the client certificate<a class="headerlink" href="#generating-the-client-certificate" title="Permanent link">&para;</a></h3>
<p>The following steps generate a client certificate signed by the CA generated above. This client can be
used to authenticate in a tls-auth configured ingress.</p>
<p>First, we need to generate an 'openssl.cnf' file that will be used while signing the keys:</p>
<div class="codehilite"><pre><span></span><span class="go">[req]</span>
<span class="go">req_extensions = v3_req</span>
<span class="go">distinguished_name = req_distinguished_name</span>
<span class="go">[req_distinguished_name]</span>
<span class="go">[ v3_req ]</span>
<span class="go">basicConstraints = CA:FALSE</span>
<span class="go">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</span>
</pre></div>
<p>Then, a user generates his very own private key (that he needs to keep secret)
and a CSR (Certificate Signing Request) that will be sent to the CA to sign and generate a certificate.</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl genrsa -out client1.key <span class="m">2048</span>
<span class="gp">$</span> openssl req -new -key client1.key -out client1.csr -subj <span class="s2">&quot;/CN=client1&quot;</span> -config openssl.cnf
</pre></div>
<p>As the CA receives the generated 'client1.csr' file, it signs it and generates a client.crt certificate:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days <span class="m">365</span> -extensions v3_req -extfile openssl.cnf
</pre></div>
<p>Then, you'll have 3 files: the client.key (user's private key), client.crt (user's public key) and client.csr (disposable CSR).</p>
<h3 id="creating-the-ca-authentication-secret">Creating the CA Authentication secret<a class="headerlink" href="#creating-the-ca-authentication-secret" title="Permanent link">&para;</a></h3>
<p>If you're using the CA Authentication feature, you need to generate a secret containing
all the authorized CAs. You must download them from your CA site in PEM format (like the following):</p>
<div class="codehilite"><pre><span></span>-----BEGIN CERTIFICATE-----
[....]
-----END CERTIFICATE-----
</pre></div>
<p>You can have as many certificates as you want. If they're in the binary DER format,
you can convert them as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
<p>Then, you've to concatenate them all in only one file, named 'ca.crt' as the following:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div>
<p>The final step is to create a secret with the content of this file. This secret is going to be used in
the TLS Auth directive:</p>
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt;
</pre></div>
<p><strong>Note:</strong> You can also generate the CA Authentication Secret along with the TLS Secret by using:
<div class="codehilite"><pre><span></span><span class="gp">$</span> kubectl create secret generic caingress --namespace<span class="o">=</span>default --from-file<span class="o">=</span>ca.crt<span class="o">=</span>&lt;ca.crt&gt; --from-file<span class="o">=</span>tls.crt<span class="o">=</span>&lt;tls.crt&gt; --from-file<span class="o">=</span>tls.key<span class="o">=</span>&lt;tls.key&gt;
</pre></div></p>
<p>Note: If using CA Authentication, described below, you will need to sign the server certificate with the CA.</p>
<h2 id="client-certificate-authentication">Client Certificate Authentication<a class="headerlink" href="#client-certificate-authentication" title="Permanent link">&para;</a></h2>
<p>CA Authentication also known as Mutual Authentication allows both the server and client to verify each others
identity via a common CA. </p>
<p>We have a CA Certificate which we obtain usually from a Certificate Authority and use that to sign
both our server certificate and client certificate. Then every time we want to access our backend, we must
pass the client certificate.</p>
<p>These instructions are based on the following <a href="https://medium.com/@awkwardferny/configuring-certificate-based-mutual-authentication-with-kubernetes-ingress-nginx-20e7e38fdfca">blog</a></p>
<p><strong>Generate the CA Key and Certificate:</strong>
$ openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=My Cert Authority'</p>
<p><strong>Generate the Server Key, and Certificate and Sign with the CA Certificate:</strong>
$ openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=mydomain.com'
$ openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt</p>
<p><strong>Generate the Client Key, and Certificate and Sign with the CA Certificate:</strong>
$ openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=My Client'
$ openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt</p>
<p>Once this is complete you can continue to follow the instructions <a href="../auth/client-certs/">here</a></p>
<h2 id="test-http-service">Test HTTP Service<a class="headerlink" href="#test-http-service" title="Permanent link">&para;</a></h2>
<p>All examples that require a test HTTP Service use the standard http-svc pod,
which you can deploy as follows</p>

9
examples/auth/client-certs/index.html
View file

@ -1150,6 +1150,15 @@ Before getting started you must have the following Certificates Setup:</p>
<li>Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)</li>
<li>Client Certificate(Signed by CA) and Key</li>
</ol>
<p>For more details on the generation process, checkout the Prerequisite <a href="../../PREREQUISITES/">docs</a>.</p>
<p>You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:
<div class="codehilite"><pre><span></span>$ openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
Then, you can concatenate them all in only one file, named 'ca.crt' as the following:
<div class="codehilite"><pre><span></span>$ cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div></p>
<p><strong>Note:</strong> Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5
for each certificate generated. Otherwise you will receive an error.</p>
<h2 id="creating-certificate-secrets">Creating Certificate Secrets<a class="headerlink" href="#creating-certificate-secrets" title="Permanent link">&para;</a></h2>
<p>There are many different ways of configuring your secrets to enable Client-Certificate
Authentication to work properly.</p>

10
examples/auth/oauth-external-auth/index.html
View file

@ -1198,11 +1198,11 @@ authenticate against the first Ingress's endpoint, and can redirect <code class=
same endpoint.</p>
<p>Sample:</p>
<div class="codehilite"><pre><span></span><span class="nn">...</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">application</span>
<span class="l l-Scalar l-Scalar-Plain">annotations</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-url</span><span class="p p-Indicator">:</span> <span class="s">&quot;https://$host/oauth2/auth&quot;</span>
<span class="l l-Scalar l-Scalar-Plain">nginx.ingress.kubernetes.io/auth-signin</span><span class="p p-Indicator">:</span> <span class="s">&quot;https://$host/oauth2/start?rd=$escaped_request_uri&quot;</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">application</span>
<span class="nt">annotations</span><span class="p">:</span>
<span class="nt">nginx.ingress.kubernetes.io/auth-url</span><span class="p">:</span> <span class="s">&quot;https://$host/oauth2/auth&quot;</span>
<span class="nt">nginx.ingress.kubernetes.io/auth-signin</span><span class="p">:</span> <span class="s">&quot;https://$host/oauth2/start?rd=$escaped_request_uri&quot;</span>
<span class="nn">...</span>
</pre></div>

32
examples/tls-termination/index.html
View file

@ -1160,26 +1160,26 @@
<p>You need a <a href="../PREREQUISITES/#tls-certificates">TLS cert</a> and a <a href="../PREREQUISITES/#test-http-service">test HTTP service</a> for this example.</p>
<h2 id="deployment">Deployment<a class="headerlink" href="#deployment" title="Permanent link">&para;</a></h2>
<p>Create a <code class="codehilite">values.yaml</code> file.</p>
<div class="codehilite"><pre><span></span><span class="l l-Scalar l-Scalar-Plain">apiVersion</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="l l-Scalar l-Scalar-Plain">kind</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="l l-Scalar l-Scalar-Plain">metadata</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">name</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-test</span>
<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">tls</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">hosts</span><span class="p p-Indicator">:</span>
<div class="codehilite"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">extensions/v1beta1</span>
<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Ingress</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">nginx-test</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="nt">tls</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">hosts</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">foo.bar.com</span>
<span class="c1"># This assumes tls-secret exists and the SSL </span>
<span class="c1"># certificate contains a CN for foo.bar.com</span>
<span class="l l-Scalar l-Scalar-Plain">secretName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">tls-secret</span>
<span class="l l-Scalar l-Scalar-Plain">rules</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">host</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">foo.bar.com</span>
<span class="l l-Scalar l-Scalar-Plain">http</span><span class="p p-Indicator">:</span>
<span class="l l-Scalar l-Scalar-Plain">paths</span><span class="p p-Indicator">:</span>
<span class="p p-Indicator">-</span> <span class="l l-Scalar l-Scalar-Plain">path</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">/</span>
<span class="l l-Scalar l-Scalar-Plain">backend</span><span class="p p-Indicator">:</span>
<span class="nt">secretName</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">tls-secret</span>
<span class="nt">rules</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">host</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">foo.bar.com</span>
<span class="nt">http</span><span class="p">:</span>
<span class="nt">paths</span><span class="p">:</span>
<span class="p p-Indicator">-</span> <span class="nt">path</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">/</span>
<span class="nt">backend</span><span class="p">:</span>
<span class="c1"># This assumes http-svc exists and routes to healthy endpoints</span>
<span class="l l-Scalar l-Scalar-Plain">serviceName</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">http-svc</span>
<span class="l l-Scalar l-Scalar-Plain">servicePort</span><span class="p p-Indicator">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
<span class="nt">serviceName</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">http-svc</span>
<span class="nt">servicePort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">80</span>
</pre></div>
<p>The following command instructs the controller to terminate traffic using the provided