configurable ssl_verify_client

controllers/nginx/configuration.md

@@ -47,6 +47,7 @@ The following annotations are supported:
 |[ingress.kubernetes.io/auth-url](#external-authentication)|string|
 |[ingress.kubernetes.io/auth-tls-secret](#certificate-authentication)|string|
 |[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number|
+|[ingress.kubernetes.io/auth-tls-verify-client](#certificate-authentication)|string|
 |[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string|
 |[ingress.kubernetes.io/base-url-scheme](#rewrite)|string|
 |[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
@@ -155,6 +156,12 @@ ingress.kubernetes.io/auth-tls-verify-depth
 
 The validation depth between the provided client certificate and the Certification Authority chain.
 
+```
+ingress.kubernetes.io/auth-tls-verify-client
+```
+
+Enables verification of client certificates.
+
 ```
 ingress.kubernetes.io/auth-tls-error-page
 ```

controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl

@@ -636,7 +636,7 @@ stream {
         {{ if not (empty $server.CertificateAuth.CAFileName) }}
         # PEM sha: {{ $server.CertificateAuth.PemSHA }}
         ssl_client_certificate                  {{ $server.CertificateAuth.CAFileName }};
-        ssl_verify_client                       on;
+        ssl_verify_client                       {{ $server.CertificateAuth.VerifyClient }};
         ssl_verify_depth                        {{ $server.CertificateAuth.ValidationDepth }};
         {{ if not (empty $server.CertificateAuth.ErrorPage)}}
         error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }};