DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add some extra detail to the client cert auth example

Browse source 
Multiple people within my work organisation were caught out by the fact
that the trusted client cert issuers must be given in a file named
`ca.crt` and that other filenames will fail to work.

This change makes it more clear to those who stumble across the
documentation that this is a potential gotcha.
This commit is contained in:
Ashley Davis 2018-10-09 22:10:56 +01:00
parent 808c2be914
commit 72de2600d7
2 changed files with 7 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
docs/examples/auth/client-certs/README.md
View file

@ -1,11 +1,11 @@
# Client Certificate Authentication
It is possible to enable Client Certificate Authentication using additional annotations in Ingress resources, created by you.
It is possible to enable Client Certificate Authentication using additional annotations in the Ingress.
## Setup Instructions
1. Create a file named `ca.crt` containing the trusted certificate authority chain to verify client certificates. All of the certificates must be in PEM format.
*NB:* The file containing the trusted certificates must be named `ca.crt` exactly - this is expected to be found in the secret.
## Setup instructions
1. Create a file named `ca.crt` containing the trusted certificate authority chain (all ca certificates in PEM format) to verify client certificates.
2. Create a secret from this file:
2. Create a secret from this file:
`kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
3. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your ingress object.
3. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your own ingress resources as required.

1
docs/examples/auth/client-certs/ingress.yaml
View file

@ -5,6 +5,7 @@ metadata:
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates with `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
# NB: The file _must_ be named "ca.crt" and nothing else. This filename is expected to be found in the secret.
nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-tls-chain"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"