Enhance Certificate Logging and Clearup Mutual Auth Docs

Adds better logging to errors caused when getting a Certificate. Adds notes and updates documentation for Mutual Authentication.
2017-09-26 22:46:22 -05:00 · 2017-09-26 22:46:22 -05:00 · 1ffeb2cee1
commit 1ffeb2cee1
parent 6e24dc68f7
8 changed files with 49 additions and 29 deletions
--- a/controllers/nginx/configuration.md
+++ b/controllers/nginx/configuration.md
@ -135,14 +135,14 @@ Please check the [auth](/examples/auth/basic/nginx/README.md) example.

 ### Certificate Authentication

-It's possible to enable Certificate based authentication using additional annotations in Ingress Rule.
+It's possible to enable Certificate-Based Authentication (Mutual Authentication) using additional annotations in Ingress Rule.

 The annotations are:
 ```
 ingress.kubernetes.io/auth-tls-secret: secretName
 ```

-The name of the secret that contains the full Certificate Authority chain that is enabled to authenticate against this ingress. It's composed of namespace/secretName
+The name of the secret that contains the full Certificate Authority chain `ca.crt` that is enabled to authenticate against this ingress. It's composed of namespace/secretName.

 ```
 ingress.kubernetes.io/auth-tls-verify-depth
--- a/core/pkg/ingress/controller/backend_ssl.go
+++ b/core/pkg/ingress/controller/backend_ssl.go
@ -74,33 +74,45 @@ func (ic *GenericController) getPemCertificate(secretName string) (*ingress.SSLC

 	cert, okcert := secret.Data[apiv1.TLSCertKey]
 	key, okkey := secret.Data[apiv1.TLSPrivateKeyKey]
-
 	ca := secret.Data["ca.crt"]

+	// namespace/secretName -> namespace-secretName
 	nsSecName := strings.Replace(secretName, "/", "-", -1)

 	var s *ingress.SSLCert
 	if okcert && okkey {
-		if cert == nil || key == nil {
-			return nil, fmt.Errorf("error retrieving cert or key from secret %v: %v", secretName, err)
+		if cert == nil {
+			return nil, fmt.Errorf("secret %v has no 'tls.crt'", secretName)
 		}
-		s, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
-		if err != nil {
-			return nil, fmt.Errorf("unexpected error creating pem file %v", err)
-		}
-		glog.V(3).Infof("found certificate and private key, configuring %v as a TLS Secret (CN: %v)", secretName, s.CN)
-	} else if ca != nil {
-		glog.V(3).Infof("found only ca.crt, configuring %v as an Certificate Authentication secret", secretName)
-		s, err = ssl.AddCertAuth(nsSecName, ca)
-		if err != nil {
-			return nil, fmt.Errorf("unexpected error creating pem file %v", err)
-		}
-	} else {
-		return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
+		if key == nil {
+			return nil, fmt.Errorf("secret %v has no 'tls.key'", secretName)
 		}

+		// If 'ca.crt' is also present, it will allow this secret to be used in the
+		// 'ingress.kubernetes.io/auth-tls-secret' annotation
+		s, err = ssl.AddOrUpdateCertAndKey(nsSecName, cert, key, ca)
 		if err != nil {
-		return nil, err
+			return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
+		}
+
+		glog.V(3).Infof("found 'tls.crt' and 'tls.key', configuring %v as a TLS Secret (CN: %v)", secretName, s.CN)
+		if ca != nil {
+			glog.V(3).Infof("found 'ca.crt', secret %v can also be used for Certificate Authentication", secretName)
+		}
+
+	} else if ca != nil {
+		s, err = ssl.AddCertAuth(nsSecName, ca)
+
+		if err != nil {
+			return nil, fmt.Errorf("unexpected error creating pem file: %v", err)
+		}
+
+		// makes this secret in 'syncSecret' to be used for Certificate Authentication
+		// this does not enable Certificate Authentication
+		glog.V(3).Infof("found only 'ca.crt', configuring %v as an Certificate Authentication Secret", secretName)
+
+	} else {
+		return nil, fmt.Errorf("no keypair or CA cert could be found in %v", secretName)
 	}

 	s.Name = secret.Name
--- a/core/pkg/ingress/controller/controller.go
+++ b/core/pkg/ingress/controller/controller.go
@ -509,9 +509,13 @@ func (ic *GenericController) getBackendServers(ingresses []*extensions.Ingress)
 				ca := ic.annotations.CertificateAuth(ing)
 				if ca != nil {
 					server.CertificateAuth = *ca
+					// It is possible that no CAFileName is found in the secret
+					if server.CertificateAuth.CAFileName == "" {
+						glog.V(3).Infof("secret %v does not contain 'ca.crt', mutual authentication not enabled - ingress rule %v/%v.", server.CertificateAuth.Secret, ing.Namespace, ing.Name)
+					}
 				}
 			} else {
-				glog.V(3).Infof("server %v already contains a muthual autentication configuration - ingress rule %v/%v", server.Hostname, ing.Namespace, ing.Name)
+				glog.V(3).Infof("server %v already contains a mutual authentication configuration - ingress rule %v/%v", server.Hostname, ing.Namespace, ing.Name)
 			}

 			for _, path := range rule.HTTP.Paths {
@ -671,7 +675,8 @@ func (ic *GenericController) getBackendServers(ingresses []*extensions.Ingress)
 	return aUpstreams, aServers
 }

-// GetAuthCertificate ...
+
+// GetAuthCertificate is used by the auth-tls annotations to get a cert from a secret
 func (ic GenericController) GetAuthCertificate(secretName string) (*resolver.AuthSSLCert, error) {
 	if _, exists := ic.sslCertTracker.Get(secretName); !exists {
 		ic.syncSecret(secretName)
@ -894,10 +899,12 @@ func (ic *GenericController) createServers(data []*extensions.Ingress,
 		RequestBuffering: bdef.ProxyRequestBuffering,
 	}

+	// generated on Start() with createDefaultSSLCertificate()
 	defaultPemFileName := fakeCertificatePath
 	defaultPemSHA := fakeCertificateSHA

-	// Tries to fetch the default Certificate. If it does not exists, generate a new self signed one.
+	// Tries to fetch the default Certificate from nginx configuration.
+	// If it does not exists, use the ones generated on Start()
 	defaultCertificate, err := ic.getPemCertificate(ic.cfg.DefaultSSLCertificate)
 	if err == nil {
 		defaultPemFileName = defaultCertificate.PemFileName
--- a/core/pkg/ingress/resolver/main.go
+++ b/core/pkg/ingress/resolver/main.go
@ -54,7 +54,7 @@ type AuthSSLCert struct {
 	Secret string `json:"secret"`
 	// CAFileName contains the path to the secrets 'ca.crt'
 	CAFileName string `json:"caFilename"`
-	// PemSHA contains the SHA1 hash of the 'tls.crt' value
+	// PemSHA contains the SHA1 hash of the 'ca.crt' or combinations of (tls.crt, tls.key, tls.crt) depending on certs in secret
 	PemSHA string `json:"pemSha"`
 }

--- a/core/pkg/net/ssl/ssl.go
+++ b/core/pkg/net/ssl/ssl.go
@ -271,7 +271,7 @@ func AddCertAuth(name string, ca []byte) (*ingress.SSLCert, error) {
 		return nil, fmt.Errorf("could not write CA file %v: %v", caFileName, err)
 	}

-	glog.V(3).Infof("Created CA Certificate for authentication: %v", caFileName)
+	glog.V(3).Infof("Created CA Certificate for Authentication: %v", caFileName)
 	return &ingress.SSLCert{
 		CAFileName:  caFileName,
 		PemFileName: caFileName,
--- a/examples/PREREQUISITES.md
+++ b/examples/PREREQUISITES.md
@ -132,7 +132,12 @@ The final step is to create a secret with the content of this file. This secret
 the TLS Auth directive:

 ```console
-$ kubectl create secret generic caingress --namespace=default --from-file=ca.crt
+$ kubectl create secret generic caingress --namespace=default --from-file=ca.crt=<ca.crt>
+```
+
+Note: You can also generate the CA Authentication Secret along with the TLS Secret by using:
+```console
+$ kubectl create secret generic caingress --namespace=default --from-file=ca.crt=<ca.crt> --from-file=tls.crt=<tls.crt> --from-file=tls.key=<tls.key>
 ```

 ## Test HTTP Service
--- a/examples/auth/client-certs/nginx/README.md
+++ b/examples/auth/client-certs/nginx/README.md
@ -16,13 +16,12 @@ the child, except for the root, which has Issuer == Subject.

 * Client Cert: Certificate used by the clients to authenticate themselves with the loadbalancer/backends.

-
 ## Prerequisites

 You need a valid CA File, composed of a group of valid enabled CAs. This MUST be in PEM Format.
-The instructions are described [here](../../../PREREQUISITES.md#ca-authentication)
+The instructions are described [here](../../../PREREQUISITES.md)

-Also your ingress must be configured as a HTTPs/TLS Ingress.
+Also your ingress must be configured as a HTTPS/TLS Ingress.

 ## Deployment

@ -51,8 +50,7 @@ Name:			nginx-test
 Namespace:		default
 Address:		104.198.183.6
 Default backend:	default-http-backend:80 (10.180.0.4:8080,10.240.0.2:8080)
-TLS:
-  tls-secret terminates ingress.test.com
+TLS: tls-secret terminates ingress.test.com
 Rules:
  Host	Path	Backends
  ----	----	--------
@ -79,13 +77,12 @@ Server: nginx/1.11.9
 $ curl -I -k --key ~/user.key --cert ~/user.cer https://ingress.test.com 
 HTTP/1.1 200 OK
 Server: nginx/1.11.9
-
 ```

 You must use the full DNS name while testing, as NGINX relies on the Server Name (SNI) to select the correct Ingress to be used.
-
 The curl version used here was ``curl 7.47.0``

 ## Which certificate was used for authentication?

-In your backend application you might want to know which certificate was used for authentication. For this purpose, we pass the full certificate in PEM format to the backend in the `ssl-client-cert` header.
+In your backend application you might want to know which certificate was used for authentication.
+For this purpose, we pass the full certificate in PEM format to the backend in the `ssl-client-cert` header.
--- a/examples/auth/client-certs/nginx/nginx-tls-auth.yaml
+++ b/examples/auth/client-certs/nginx/nginx-tls-auth.yaml
@ -21,6 +21,5 @@ spec:
  tls:
  - hosts:
    - ingress.test.com
-    # Create this cert as described in 'multi-tls' example
-    secretName: cert
+    secretName: tls-secret