DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix CA certificate example docs

Browse source
This commit is contained in:
Manuel Alejandro de Brito Fontes 2019-04-08 08:35:34 -04:00
parent 4efe549502
commit d589fb485a
No known key found for this signature in database
GPG key ID: 786136016A8BA02A
3 changed files with 33 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
docs/examples/PREREQUISITES.md
View file

@ -33,17 +33,26 @@ pass the client certificate.
These instructions are based on the following [blog](https://medium.com/@awkwardferny/configuring-certificate-based-mutual-authentication-with-kubernetes-ingress-nginx-20e7e38fdfca) These instructions are based on the following [blog](https://medium.com/@awkwardferny/configuring-certificate-based-mutual-authentication-with-kubernetes-ingress-nginx-20e7e38fdfca)
**Generate the CA Key and Certificate:** **Generate the CA Key and Certificate:**
$ openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=My Cert Authority'
```console
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=My Cert Authority'
```
**Generate the Server Key, and Certificate and Sign with the CA Certificate:** **Generate the Server Key, and Certificate and Sign with the CA Certificate:**
$ openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=mydomain.com'
$ openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt ```console
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=mydomain.com'
openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
```
**Generate the Client Key, and Certificate and Sign with the CA Certificate:** **Generate the Client Key, and Certificate and Sign with the CA Certificate:**
$ openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=My Client'
$ openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
Once this is complete you can continue to follow the instructions [here](./auth/client-certs/README.md) ```console
openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=My Client'
openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt
```
Once this is complete you can continue to follow the instructions [here](./auth/client-certs/README.md#creating-certificate-secrets)
## Test HTTP Service ## Test HTTP Service

18
docs/examples/auth/client-certs/README.md
View file

@ -7,15 +7,18 @@ Before getting started you must have the following Certificates Setup:
2. Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use) 2. Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
3. Client Certificate(Signed by CA) and Key 3. Client Certificate(Signed by CA) and Key
For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md). For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md#client-certificate-authentication).
You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following: You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:
```bash ```bash
$ openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
``` ```
Then, you can concatenate them all in only one file, named 'ca.crt' as the following: Then, you can concatenate them all in only one file, named 'ca.crt' as the following:
```bash ```bash
$ cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt
``` ```
**Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5 **Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5
@ -28,15 +31,17 @@ Authentication to work properly.
1. You can create a secret containing just the CA certificate and another 1. You can create a secret containing just the CA certificate and another
Secret containing the Server Certificate which is Signed by the CA. Secret containing the Server Certificate which is Signed by the CA.
```bash ```bash
$ kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt
$ kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
``` ```
2. You can create a secret containing CA certificate along with the Server 2. You can create a secret containing CA certificate along with the Server
Certificate, that can be used for both TLS and Client Auth. Certificate, that can be used for both TLS and Client Auth.
```bash ```bash
$ kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
``` ```
Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates. Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.
@ -46,4 +51,3 @@ Note: The CA Certificate must contain the trusted certificate authority chain to
1. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your own ingress resources as required. 1. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your own ingress resources as required.
2. Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400. 2. Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400.
3. Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200. 3. Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200.

9
docs/examples/auth/client-certs/ingress.yaml
View file

@ -11,20 +11,19 @@ metadata:
# Specify an error page to be redirected to verification errors # Specify an error page to be redirected to verification errors
nginx.ingress.kubernetes.io/auth-tls-error-page: "http://www.mysite.com/error-cert.html" nginx.ingress.kubernetes.io/auth-tls-error-page: "http://www.mysite.com/error-cert.html"
# Specify if certificates are passed to upstream server # Specify if certificates are passed to upstream server
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
name: nginx-test name: nginx-test
namespace: default namespace: default
spec: spec:
rules: rules:
- host: ingress.test.com - host: mydomain.com
http: http:
paths: paths:
- backend: - backend:
serviceName: http-svc:80 serviceName: http-svc
servicePort: 80 servicePort: 80
path: / path: /
tls: tls:
- hosts: - hosts:
- ingress.test.com - mydomain.com
secretName: tls-secret secretName: tls-secret