DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Improve cert auth documentation

Browse source
This commit is contained in:
Ricardo Pchevuzinske Katz 2017-02-10 14:00:48 -02:00
parent 1738cbdaa3
commit dbdfbf2158
3 changed files with 13 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
examples/PREREQUISITES.md
View file

@ -40,7 +40,7 @@ secret "tls-secret" created
You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our You can act as your very own CA, or use an existing one. As an exercise / learning, we're going to generate our
own CA, and also generate a client certificate. own CA, and also generate a client certificate.
These instructions are based in CoreOS OpenSSL instructions: https://coreos.com/kubernetes/docs/latest/openssl.html These instructions are based in CoreOS OpenSSL [instructions](https://coreos.com/kubernetes/docs/latest/openssl.html)
### Generating a CA ### Generating a CA
@ -114,7 +114,7 @@ all the authorized CAs. You must download them from your CA site in PEM format (
-----END CERTIFICATE----- -----END CERTIFICATE-----
``` ```
You can have as many certificates as you wan't. If they're in the binary DER format, You can have as many certificates as you want. If they're in the binary DER format,
you can convert them as the following: you can convert them as the following:
```console ```console

18
examples/tls-authentication/nginx/README.md → examples/auth/client-certs/nginx/README.md
View file

@ -1,24 +1,26 @@
# TLS termination # TLS authentication
This example demonstrates how to enable the TLS Authentication through the nginx Ingress controller. This example demonstrates how to enable the TLS Authentication through the nginx Ingress controller.
## Terminology ## Terminology
* CA Certificate(s) - Certificate Authority public key. Client certs must chain back to this cert,
meaning the Issuer field of some certificate in the chain leading up to the client cert must contain
the name of this CA. For purposes of this example, this is a self signed certificate.
* Client Cert: Certificate used by the clients to authenticate themselves with the loadbalancer/backends.
* CA: Certificate authority signing the client cert, in this example we will play the role of a CA. * CA: Certificate authority signing the client cert, in this example we will play the role of a CA.
You can generate a CA cert as show in this doc. You can generate a CA cert as show in this doc.
* CA Certificate(s) - Certificate Authority public key. Client certs must chain back to this cert,
meaning the Issuer field of some certificate in the chain leading up to the client cert must contain
the name of this CA. For purposes of this example, this is a self signed certificate.
* CA chains: A chain of certificates where the parent has a Subject field matching the Issuer field of * CA chains: A chain of certificates where the parent has a Subject field matching the Issuer field of
the child, except for the root, which has Issuer == Subject. the child, except for the root, which has Issuer == Subject.
* Client Cert: Certificate used by the clients to authenticate themselves with the loadbalancer/backends.
## Prerequisites ## Prerequisites
You need a valid CA File, composed of a group of valid enabled CAs. This MUST be in PEM Format. You need a valid CA File, composed of a group of valid enabled CAs. This MUST be in PEM Format.
The instructions are described here: https://github.com/kubernetes/ingress/blob/master/examples/PREREQUISITES.md#ca-authentication The instructions are described [here](../../../PREREQUISITES.md#ca-authentication)
Also your ingress must be configured as a HTTPs/TLS Ingress. Also your ingress must be configured as a HTTPs/TLS Ingress.
@ -71,3 +73,5 @@ Server: nginx/1.11.9
``` ```
You must use the full DNS name while testing, as NGINX relies on the Server Name (SNI) to select the correct Ingress to be used. You must use the full DNS name while testing, as NGINX relies on the Server Name (SNI) to select the correct Ingress to be used.
The curl version used here was ``curl 7.47.0``

0
examples/tls-authentication/nginx/nginx-tls-auth.yaml → examples/auth/client-certs/nginx/nginx-tls-auth.yaml
View file