DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix CA certificate example docs

Browse source
This commit is contained in:
Manuel Alejandro de Brito Fontes 2019-04-08 08:35:34 -04:00
parent 4efe549502
commit d589fb485a
No known key found for this signature in database
GPG key ID: 786136016A8BA02A
3 changed files with 33 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

22
docs/examples/auth/client-certs/README.md
View file

@ -7,15 +7,18 @@ Before getting started you must have the following Certificates Setup:
2. Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
3. Client Certificate(Signed by CA) and Key
For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md).
For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md#client-certificate-authentication).
You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:
```bash
$ openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
```
Then, you can concatenate them all in only one file, named 'ca.crt' as the following:
```bash
$ cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt
cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt
```
**Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5
@ -28,22 +31,23 @@ Authentication to work properly.
1. You can create a secret containing just the CA certificate and another
Secret containing the Server Certificate which is Signed by the CA.
```bash
$ kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt
$ kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt
kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
```
2. You can create a secret containing CA certificate along with the Server
Certificate, that can be used for both TLS and Client Auth.
```bash
$ kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
```
Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.
## Setup Instructions
1. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your own ingress resources as required.
2. Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400.
3. Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200.

9
docs/examples/auth/client-certs/ingress.yaml
View file

@ -11,20 +11,19 @@ metadata:
# Specify an error page to be redirected to verification errors
nginx.ingress.kubernetes.io/auth-tls-error-page: "http://www.mysite.com/error-cert.html"
# Specify if certificates are passed to upstream server
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
name: nginx-test
namespace: default
spec:
rules:
- host: ingress.test.com
- host: mydomain.com
http:
paths:
- backend:
serviceName: http-svc:80
serviceName: http-svc
servicePort: 80
path: /
tls:
- hosts:
- ingress.test.com
- mydomain.com
secretName: tls-secret