DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
Travis Bot 2019-04-10 00:14:41 +00:00
parent f8a1604043
commit 5354ec8a1b
6 changed files with 85 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
examples/PREREQUISITES/index.html
View file

@ -1222,15 +1222,21 @@ identity via a common CA. </p>
both our server certificate and client certificate. Then every time we want to access our backend, we must
pass the client certificate.</p>
<p>These instructions are based on the following <a href="https://medium.com/@awkwardferny/configuring-certificate-based-mutual-authentication-with-kubernetes-ingress-nginx-20e7e38fdfca">blog</a></p>
<p><strong>Generate the CA Key and Certificate:</strong>
$ openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=My Cert Authority'</p>
<p><strong>Generate the Server Key, and Certificate and Sign with the CA Certificate:</strong>
$ openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=mydomain.com'
$ openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt</p>
<p><strong>Generate the Client Key, and Certificate and Sign with the CA Certificate:</strong>
$ openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=My Client'
$ openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt</p>
<p>Once this is complete you can continue to follow the instructions <a href="../auth/client-certs/">here</a></p>
<p><strong>Generate the CA Key and Certificate:</strong></p>
<div class="codehilite"><pre><span></span><span class="go">openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj &#39;/CN=My Cert Authority&#39;</span>
</pre></div>
<p><strong>Generate the Server Key, and Certificate and Sign with the CA Certificate:</strong></p>
<div class="codehilite"><pre><span></span><span class="go">openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj &#39;/CN=mydomain.com&#39;</span>
<span class="go">openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt</span>
</pre></div>
<p><strong>Generate the Client Key, and Certificate and Sign with the CA Certificate:</strong></p>
<div class="codehilite"><pre><span></span><span class="go">openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj &#39;/CN=My Client&#39;</span>
<span class="go">openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt</span>
</pre></div>
<p>Once this is complete you can continue to follow the instructions <a href="../auth/client-certs/#creating-certificate-secrets">here</a></p>
<h2 id="test-http-service">Test HTTP Service<a class="headerlink" href="#test-http-service" title="Permanent link">&para;</a></h2>
<p>All examples that require a test HTTP Service use the standard http-svc pod,
which you can deploy as follows</p>

30
examples/auth/client-certs/index.html
View file

@ -1194,13 +1194,15 @@ Before getting started you must have the following Certificates Setup:</p>
<li>Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)</li>
<li>Client Certificate(Signed by CA) and Key</li>
</ol>
<p>For more details on the generation process, checkout the Prerequisite <a href="../../PREREQUISITES/">docs</a>.</p>
<p>You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:
<div class="codehilite"><pre><span></span>$ openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
<p>For more details on the generation process, checkout the Prerequisite <a href="../../PREREQUISITES/#client-certificate-authentication">docs</a>.</p>
<p>You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:</p>
<div class="codehilite"><pre><span></span>openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
</pre></div>
Then, you can concatenate them all in only one file, named 'ca.crt' as the following:
<div class="codehilite"><pre><span></span>$ cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div></p>
<p>Then, you can concatenate them all in only one file, named 'ca.crt' as the following:</p>
<div class="codehilite"><pre><span></span>cat certificate1.crt certificate2.crt certificate3.crt &gt;&gt; ca.crt
</pre></div>
<p><strong>Note:</strong> Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5
for each certificate generated. Otherwise you will receive an error.</p>
<h2 id="creating-certificate-secrets">Creating Certificate Secrets<a class="headerlink" href="#creating-certificate-secrets" title="Permanent link">&para;</a></h2>
@ -1209,16 +1211,18 @@ Authentication to work properly.</p>
<ol>
<li>
<p>You can create a secret containing just the CA certificate and another
Secret containing the Server Certificate which is Signed by the CA.
<div class="codehilite"><pre><span></span>$ kubectl create secret generic ca-secret --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
$ kubectl create secret generic tls-secret --from-file<span class="o">=</span>tls.crt<span class="o">=</span>server.crt --from-file<span class="o">=</span>tls.key<span class="o">=</span>server.key
</pre></div></p>
Secret containing the Server Certificate which is Signed by the CA.</p>
<div class="codehilite"><pre><span></span>kubectl create secret generic ca-secret --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
kubectl create secret generic tls-secret --from-file<span class="o">=</span>tls.crt<span class="o">=</span>server.crt --from-file<span class="o">=</span>tls.key<span class="o">=</span>server.key
</pre></div>
</li>
<li>
<p>You can create a secret containing CA certificate along with the Server
Certificate, that can be used for both TLS and Client Auth.
<div class="codehilite"><pre><span></span>$ kubectl create secret generic ca-secret --from-file<span class="o">=</span>tls.crt<span class="o">=</span>server.crt --from-file<span class="o">=</span>tls.key<span class="o">=</span>server.key --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
</pre></div></p>
Certificate, that can be used for both TLS and Client Auth.</p>
<div class="codehilite"><pre><span></span>kubectl create secret generic ca-secret --from-file<span class="o">=</span>tls.crt<span class="o">=</span>server.crt --from-file<span class="o">=</span>tls.key<span class="o">=</span>server.key --from-file<span class="o">=</span>ca.crt<span class="o">=</span>ca.crt
</pre></div>
</li>
</ol>
<p>Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.</p>

9
examples/auth/client-certs/ingress.yaml
View file

@ -11,20 +11,19 @@ metadata:
# Specify an error page to be redirected to verification errors
nginx.ingress.kubernetes.io/auth-tls-error-page: "http://www.mysite.com/error-cert.html"
# Specify if certificates are passed to upstream server
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
name: nginx-test
namespace: default
spec:
rules:
- host: ingress.test.com
- host: mydomain.com
http:
paths:
- backend:
serviceName: http-svc:80
serviceName: http-svc
servicePort: 80
path: /
tls:
- hosts:
- ingress.test.com
- mydomain.com
secretName: tls-secret

2
search/search_index.json
View file

File diff suppressed because one or more lines are too long

94
sitemap.xml
View file

@ -2,237 +2,237 @@
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
<url>
<loc>None</loc>
<lastmod>2019-04-09</lastmod>
<lastmod>2019-04-10</lastmod>
<changefreq>daily</changefreq>
</url>
</urlset>

BIN
sitemap.xml.gz
View file

Binary file not shown.