diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index e8d8a8f27..92907b2aa 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -313,17 +313,17 @@ http { {{ if $cfg.EnableVtsStatus }}vhost_traffic_status_filter_by_set_key $geoip_country_code country::$server_name;{{ end }} + {{ if not (empty $server.CertificateAuth.AuthSSLCert.CAFileName) }} + # PEM sha: {{ $server.CertificateAuth.AuthSSLCert.PemSHA }} + ssl_client_certificate {{ $server.CertificateAuth.AuthSSLCert.CAFileName }}; + ssl_verify_client on; + ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }}; + {{ end }} + {{ range $location := $server.Locations }} {{ $path := buildLocation $location }} {{ $authPath := buildAuthLocation $location }} - {{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }} - # PEM sha: {{ $location.CertificateAuth.AuthSSLCert.PemSHA }} - ssl_client_certificate {{ $location.CertificateAuth.AuthSSLCert.CAFileName }}; - ssl_verify_client on; - ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }}; - {{ end }} - {{ if not (empty $location.Redirect.AppRoot)}} if ($uri = /) { return 302 {{ $location.Redirect.AppRoot }}; @@ -414,7 +414,7 @@ http { proxy_set_header Host $best_http_host; # Pass the extracted client certificate to the backend - {{ if not (empty $location.CertificateAuth.AuthSSLCert.CAFileName) }} + {{ if not (empty $server.CertificateAuth.AuthSSLCert.CAFileName) }} proxy_set_header ssl-client-cert $ssl_client_cert; {{ end }} diff --git a/core/pkg/ingress/controller/util_test.go b/core/pkg/ingress/controller/util_test.go index e49b2803e..9a12c89fd 100644 --- a/core/pkg/ingress/controller/util_test.go +++ b/core/pkg/ingress/controller/util_test.go @@ -23,7 +23,6 @@ import ( "k8s.io/ingress/core/pkg/ingress" "k8s.io/ingress/core/pkg/ingress/annotations/auth" "k8s.io/ingress/core/pkg/ingress/annotations/authreq" - "k8s.io/ingress/core/pkg/ingress/annotations/authtls" "k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist" "k8s.io/ingress/core/pkg/ingress/annotations/proxy" "k8s.io/ingress/core/pkg/ingress/annotations/ratelimit" @@ -51,7 +50,6 @@ func TestMergeLocationAnnotations(t *testing.T) { "Redirect": rewrite.Redirect{}, "Whitelist": ipwhitelist.SourceRange{}, "Proxy": proxy.Configuration{}, - "CertificateAuth": authtls.AuthSSLConfig{}, "UsePortInRedirects": true, } diff --git a/core/pkg/ingress/types.go b/core/pkg/ingress/types.go index 5d17fe0d6..9df10089e 100644 --- a/core/pkg/ingress/types.go +++ b/core/pkg/ingress/types.go @@ -220,6 +220,10 @@ type Server struct { SSLPemChecksum string `json:"sslPemChecksum"` // Locations list of URIs configured in the server. Locations []*Location `json:"locations,omitempty"` + // CertificateAuth indicates the access to this location requires + // external authentication + // +optional + CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth,omitempty"` } // Location describes an URI inside a server. @@ -231,7 +235,6 @@ type Server struct { // In some cases when more than one annotations is defined a particular order in the execution // is required. // The chain in the execution order of annotations should be: -// - CertificateAuth // - Whitelist // - RateLimit // - BasicDigestAuth @@ -285,10 +288,6 @@ type Location struct { // to be used in connections against endpoints // +optional Proxy proxy.Configuration `json:"proxy,omitempty"` - // CertificateAuth indicates the access to this location requires - // external authentication - // +optional - CertificateAuth authtls.AuthSSLConfig `json:"certificateAuth,omitempty"` // UsePortInRedirects indicates if redirects must specify the port // +optional UsePortInRedirects bool `json:"use-port-in-redirects"`