From dbdfbf2158da7571668aeb6b8d84c64741f4cb81 Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Fri, 10 Feb 2017 14:00:48 -0200 Subject: [PATCH] Improve cert auth documentation --- examples/PREREQUISITES.md | 4 ++-- .../client-certs}/nginx/README.md | 18 +++++++++++------- .../client-certs}/nginx/nginx-tls-auth.yaml | 0 3 files changed, 13 insertions(+), 9 deletions(-) rename examples/{tls-authentication => auth/client-certs}/nginx/README.md (94%) rename examples/{tls-authentication => auth/client-certs}/nginx/nginx-tls-auth.yaml (100%) diff --git a/examples/PREREQUISITES.md b/examples/PREREQUISITES.md index 9ecb10ea4..9c26b07c8 100644 --- a/examples/PREREQUISITES.md +++ b/examples/PREREQUISITES.md @@ -40,7 +40,7 @@ secret "tls-secret" created You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our own CA, and also generate a client certificate. -These instructions are based in CoreOS OpenSSL instructions: https://coreos.com/kubernetes/docs/latest/openssl.html +These instructions are based in CoreOS OpenSSL [instructions](https://coreos.com/kubernetes/docs/latest/openssl.html) ### Generating a CA @@ -114,7 +114,7 @@ all the authorized CAs. You must download them from your CA site in PEM format ( -----END CERTIFICATE----- ``` -You can have as many certificates as you wan't. If they're in the binary DER format, +You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following: ```console diff --git a/examples/tls-authentication/nginx/README.md b/examples/auth/client-certs/nginx/README.md similarity index 94% rename from examples/tls-authentication/nginx/README.md rename to examples/auth/client-certs/nginx/README.md index ed11acbfc..74436378c 100644 --- a/examples/tls-authentication/nginx/README.md +++ b/examples/auth/client-certs/nginx/README.md @@ -1,24 +1,26 @@ -# TLS termination +# TLS authentication This example demonstrates how to enable the TLS Authentication through the nginx Ingress controller. ## Terminology -* CA Certificate(s) - Certificate Authority public key. Client certs must chain back to this cert, -meaning the Issuer field of some certificate in the chain leading up to the client cert must contain -the name of this CA. For purposes of this example, this is a self signed certificate. - -* Client Cert: Certificate used by the clients to authenticate themselves with the loadbalancer/backends. * CA: Certificate authority signing the client cert, in this example we will play the role of a CA. You can generate a CA cert as show in this doc. +* CA Certificate(s) - Certificate Authority public key. Client certs must chain back to this cert, +meaning the Issuer field of some certificate in the chain leading up to the client cert must contain +the name of this CA. For purposes of this example, this is a self signed certificate. + * CA chains: A chain of certificates where the parent has a Subject field matching the Issuer field of the child, except for the root, which has Issuer == Subject. +* Client Cert: Certificate used by the clients to authenticate themselves with the loadbalancer/backends. + + ## Prerequisites You need a valid CA File, composed of a group of valid enabled CAs. This MUST be in PEM Format. -The instructions are described here: https://github.com/kubernetes/ingress/blob/master/examples/PREREQUISITES.md#ca-authentication +The instructions are described [here](../../../PREREQUISITES.md#ca-authentication) Also your ingress must be configured as a HTTPs/TLS Ingress. @@ -71,3 +73,5 @@ Server: nginx/1.11.9 ``` You must use the full DNS name while testing, as NGINX relies on the Server Name (SNI) to select the correct Ingress to be used. + +The curl version used here was ``curl 7.47.0`` diff --git a/examples/tls-authentication/nginx/nginx-tls-auth.yaml b/examples/auth/client-certs/nginx/nginx-tls-auth.yaml similarity index 100% rename from examples/tls-authentication/nginx/nginx-tls-auth.yaml rename to examples/auth/client-certs/nginx/nginx-tls-auth.yaml