Update Documentation for Client-Cert Authentication misleading #10687 #10705
Conversation
Update / restructure "Client Cert Authentication" Documentation sub-section
✅ Deploy Preview for kubernetes-ingress-nginx ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-triage
|
Welcome @clauspruefer! |
k8s-ci-robot
added
area/docs
needs-kind
|
Hi @clauspruefer. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: no
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
Add openssl subjectAltName and remark for future releases.
Moved subjectAltName to new topic "Remarks", i think it is not annotation / ingress related
|
Sorry, currently the client-auth doc did not contain wrong information, it just was a bit misleading. |
clauspruefer
changed the title
Typo
|
Currently verified working in End2End test (including whitelist filtering): Cert Generationkubectl -n spx-test create secret generic ca-spxcomserver-spx-webui-test-tls-cert --from-file=ca.crt=./ca-cert.pem --from-file=tls.crt=./server-cert.pem --from-file=tls.key=./server-key.pem
kubectl create secret tls spxcomserver-spx-webui-test-tls-cert --cert ./server-cert.pem --key ./server-key.pemIngress DefinitionapiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
nginx.ingress.kubernetes.io/auth-tls-secret: spx-test/ca-spxcomserver-spx-webui-test-tls-cert
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/whitelist-source-range: x.x.x.x/32
creationTimestamp: "2023-11-30T12:53:58Z"
generation: 1
name: spxcomserver-spx-webui-test-tls-ingress
namespace: spx-test
resourceVersion: "4939686"
uid: 98d5a78c-2b25-4424-b0eb-9c73cb63f795
spec:
ingressClassName: class-ingress-webui-test
rules:
- host: xyz.click-it.online
http:
paths:
- backend:
service:
name: spxcomserver-spx-webui-test-svc
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- spx-webui-test.click-it.online
secretName: spxcomserver-spx-webui-test-tls-cert
status:
loadBalancer:
ingress:
- ip: x.x.x.xClient is Mozilla Firefox with imported .p12 (CA-cert, ClientCert, ClientKey). |
|
Hi, this PR seems to be stuck. Just a few words why this all came up (important!). Our company runs a project where Client-Cert-Authentication is required. Our developers are expirienced with Apache-TLS, Client-Cert Authentication, also NGINX configurations which use TLS Client-Cert-Auth have been setup lately. Now we switched to Kubernetes and ingress-nginx which relies on
I think this is where the confusion starts with Especially if you are expirienced with SSL / TLS you always include a CA-Certificate for the "Transport" Layer in a Server-Configuration. Very seldom you use just Server-Cert and Server-Key without CA-Certificate. But exactly this is pointed out in the Kubernetes-Documentaion importing TLS with The way by doing So the implementation in our Python-Kubernetes-Installer failed because the double = assignment (which also seems like a workaround of the Kubernetes OOP Backend-Handling). So our developers thought that the ingress-nginx behaviour / documentation was broken because the double = assignment :( So my intention was to setup a clear documentation how to link certificates to ingress-nginx / Kubernetes with this PR (please check the rendered output in my fork, i added the link to the PR description). In my oppinion the only thing which needs ajustment is to check, if you can link the same secret-reference in the following config: and (config without namespace, secret needs to be inside correct namespace) And afterwards emphasis the cert-import ALWAYS by following command:
@strongjz I think this is really important for non-tls-experts and global internet-security should use such features more often, so please consider using my adapted documentation. |
|
@clauspruefer I could not find the key "ca.crt" type info in the help for the /ok-to-test |
k8s-ci-robot
added
ok-to-test
|
@clauspruefer I would even recommend that you submit a PR in the other sig that maintains the /lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: clauspruefer, longwuyuan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Thanx for the feedback :). I will open PR asap. TLS/SSL needs to be implemented correctly to increase global internet security. |
|
True. In this case though since those key:value pairs allowed for cert, chain and the key, it seems the implementation exists but precise docs for including 3 hashes is not common knowledge. Maybe people were concatenating cert+chain in a single file (I may have tried that too once or twice, not sure). |
Update / restructure "Client Cert Authentication" Documentation sub-section
Types of changes
Which issue/s this PR fixes
fixes #10687
How Has This Been Tested?
Already tested.
Checklist:
Viewable Documentation / Page:
https://github.com/clauspruefer/ingress-nginx/tree/main/docs/examples/auth/client-certs