Add annotation to enable passing the certificate to the upstream server
This commit is contained in:
Manuel de Brito Fontes
parent
de37e8ea89
commit
2223ea9600
3 changed files with 30 additions and 7 deletions
|
|
@ -14,6 +14,7 @@ The following annotations are supported:
|
|||
|[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number|
|
||||
|[ingress.kubernetes.io/auth-tls-verify-client](#certificate-authentication)|string|
|
||||
|[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string|
|
||||
|[ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream](#certificate-authentication)|string|
|
||||
|[ingress.kubernetes.io/auth-url](#external-authentication)|string|
|
||||
|[ingress.kubernetes.io/base-url-scheme](#rewrite)|string|
|
||||
|[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
|
||||
|
|
@ -149,6 +150,13 @@ ingress.kubernetes.io/auth-tls-error-page
|
|||
|
||||
The URL/Page that user should be redirected in case of a Certificate Authentication Error
|
||||
|
||||
```
|
||||
ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream
|
||||
```
|
||||
|
||||
Indicates if the received certificates should be passed or not to the upstream server.
|
||||
By default this is disabled.
|
||||
|
||||
Please check the [tls-auth](../examples/auth/client-certs/README.md) example.
|
||||
|
||||
**Important:**
|
||||
|
|
|
|||
|
|
@ -44,6 +44,7 @@ type Config struct {
|
|||
VerifyClient string `json:"verify_client"`
|
||||
ValidationDepth int `json:"validationDepth"`
|
||||
ErrorPage string `json:"errorPage"`
|
||||
PassCertToUpstream bool `json:"passCertToUpstream"`
|
||||
}
|
||||
|
||||
// Equal tests for equality between two Config types
|
||||
|
|
@ -66,6 +67,10 @@ func (assl1 *Config) Equal(assl2 *Config) bool {
|
|||
if assl1.ErrorPage != assl2.ErrorPage {
|
||||
return false
|
||||
}
|
||||
if assl1.PassCertToUpstream != assl2.PassCertToUpstream {
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
|
|
@ -118,10 +123,16 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
|
|||
errorpage = ""
|
||||
}
|
||||
|
||||
passCert, err := parser.GetBoolAnnotation("auth-tls-pass-certificate-to-upstream", ing, a.r)
|
||||
if err != nil {
|
||||
passCert = false
|
||||
}
|
||||
|
||||
return &Config{
|
||||
AuthSSLCert: *authCert,
|
||||
VerifyClient: tlsVerifyClient,
|
||||
ValidationDepth: tlsdepth,
|
||||
ErrorPage: errorpage,
|
||||
PassCertToUpstream: passCert,
|
||||
}, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -756,7 +756,11 @@ stream {
|
|||
|
||||
# Pass the extracted client certificate to the backend
|
||||
{{ if not (empty $server.CertificateAuth.CAFileName) }}
|
||||
{{ if $server.CertificateAuth.PassCertToUpstream }}
|
||||
proxy_set_header ssl-client-cert $ssl_client_raw_cert;
|
||||
{{ else }}
|
||||
proxy_set_header ssl-client-cert "";
|
||||
{{ end }}
|
||||
proxy_set_header ssl-client-verify $ssl_client_verify;
|
||||
proxy_set_header ssl-client-dn $ssl_client_s_dn;
|
||||
{{ else }}
|
||||
|
|
|
|||
Loading…
Reference in a new issue