DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #1480 from sapcc/ssl_verify_client

Browse source 
configurable ssl_verify_client
This commit is contained in:
Manuel Alejandro de Brito Fontes 2017-10-05 08:02:43 -04:00 committed by GitHub
commit f9117a7eaf
5 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
controllers/nginx/configuration.md
View file

@ -47,6 +47,7 @@ The following annotations are supported:
|[ingress.kubernetes.io/auth-url](#external-authentication)|string| |[ingress.kubernetes.io/auth-url](#external-authentication)|string|
|[ingress.kubernetes.io/auth-tls-secret](#certificate-authentication)|string| |[ingress.kubernetes.io/auth-tls-secret](#certificate-authentication)|string|
|[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number| |[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number|
|[ingress.kubernetes.io/auth-tls-verify-client](#certificate-authentication)|string|
|[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string| |[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string|
|[ingress.kubernetes.io/base-url-scheme](#rewrite)|string| |[ingress.kubernetes.io/base-url-scheme](#rewrite)|string|
|[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string| |[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string|
@ -155,6 +156,12 @@ ingress.kubernetes.io/auth-tls-verify-depth
The validation depth between the provided client certificate and the Certification Authority chain. The validation depth between the provided client certificate and the Certification Authority chain.
```
ingress.kubernetes.io/auth-tls-verify-client
```
Enables verification of client certificates.
``` ```
ingress.kubernetes.io/auth-tls-error-page ingress.kubernetes.io/auth-tls-error-page
``` ```

2
controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
View file

@ -636,7 +636,7 @@ stream {
{{ if not (empty $server.CertificateAuth.CAFileName) }} {{ if not (empty $server.CertificateAuth.CAFileName) }}
# PEM sha: {{ $server.CertificateAuth.PemSHA }} # PEM sha: {{ $server.CertificateAuth.PemSHA }}
ssl_client_certificate {{ $server.CertificateAuth.CAFileName }}; ssl_client_certificate {{ $server.CertificateAuth.CAFileName }};
ssl_verify_client on; ssl_verify_client {{ $server.CertificateAuth.VerifyClient }};
ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }}; ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }};
{{ if not (empty $server.CertificateAuth.ErrorPage)}} {{ if not (empty $server.CertificateAuth.ErrorPage)}}
error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }}; error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }};

17
core/pkg/ingress/annotations/authtls/main.go
View file

@ -24,20 +24,28 @@ import (
ing_errors "k8s.io/ingress/core/pkg/ingress/errors" ing_errors "k8s.io/ingress/core/pkg/ingress/errors"
"k8s.io/ingress/core/pkg/ingress/resolver" "k8s.io/ingress/core/pkg/ingress/resolver"
"k8s.io/ingress/core/pkg/k8s" "k8s.io/ingress/core/pkg/k8s"
"regexp"
) )
const ( const (
// name of the secret // name of the secret
annotationAuthTLSSecret = "ingress.kubernetes.io/auth-tls-secret" annotationAuthTLSSecret = "ingress.kubernetes.io/auth-tls-secret"
annotationAuthVerifyClient = "ingress.kubernetes.io/auth-tls-verify-client"
annotationAuthTLSDepth = "ingress.kubernetes.io/auth-tls-verify-depth" annotationAuthTLSDepth = "ingress.kubernetes.io/auth-tls-verify-depth"
annotationAuthTLSErrorPage = "ingress.kubernetes.io/auth-tls-error-page" annotationAuthTLSErrorPage = "ingress.kubernetes.io/auth-tls-error-page"
defaultAuthTLSDepth = 1 defaultAuthTLSDepth = 1
defaultAuthVerifyClient = "on"
)
var (
authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`)
) )
// AuthSSLConfig contains the AuthSSLCert used for muthual autentication // AuthSSLConfig contains the AuthSSLCert used for muthual autentication
// and the configured ValidationDepth // and the configured ValidationDepth
type AuthSSLConfig struct { type AuthSSLConfig struct {
resolver.AuthSSLCert resolver.AuthSSLCert
VerifyClient string `json:"verify_client"`
ValidationDepth int `json:"validationDepth"` ValidationDepth int `json:"validationDepth"`
ErrorPage string `json:"errorPage"` ErrorPage string `json:"errorPage"`
} }
@ -53,6 +61,9 @@ func (assl1 *AuthSSLConfig) Equal(assl2 *AuthSSLConfig) bool {
if !(&assl1.AuthSSLCert).Equal(&assl2.AuthSSLCert) { if !(&assl1.AuthSSLCert).Equal(&assl2.AuthSSLCert) {
return false return false
} }
if assl1.VerifyClient != assl2.VerifyClient {
return false
}
if assl1.ValidationDepth != assl2.ValidationDepth { if assl1.ValidationDepth != assl2.ValidationDepth {
return false return false
} }
@ -89,6 +100,11 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
return &AuthSSLConfig{}, ing_errors.NewLocationDenied(err.Error()) return &AuthSSLConfig{}, ing_errors.NewLocationDenied(err.Error())
} }
tlsVerifyClient, err := parser.GetStringAnnotation(annotationAuthVerifyClient, ing)
if err != nil || !authVerifyClientRegex.MatchString(tlsVerifyClient) {
tlsVerifyClient = defaultAuthVerifyClient
}
tlsdepth, err := parser.GetIntAnnotation(annotationAuthTLSDepth, ing) tlsdepth, err := parser.GetIntAnnotation(annotationAuthTLSDepth, ing)
if err != nil || tlsdepth == 0 { if err != nil || tlsdepth == 0 {
tlsdepth = defaultAuthTLSDepth tlsdepth = defaultAuthTLSDepth
@ -108,6 +124,7 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
return &AuthSSLConfig{ return &AuthSSLConfig{
AuthSSLCert: *authCert, AuthSSLCert: *authCert,
VerifyClient: tlsVerifyClient,
ValidationDepth: tlsdepth, ValidationDepth: tlsdepth,
ErrorPage: errorpage, ErrorPage: errorpage,
}, nil }, nil

1
examples/auth/client-certs/nginx/README.md
View file

@ -31,6 +31,7 @@ Certificate Authentication is achieved through 2 annotations on the Ingress, as
| --- | --- | --- | | --- | --- | --- |
|ingress.kubernetes.io/auth-tls-secret|Sets the secret that contains the authorized CA Chain|string| |ingress.kubernetes.io/auth-tls-secret|Sets the secret that contains the authorized CA Chain|string|
|ingress.kubernetes.io/auth-tls-verify-depth|The verification depth Certificate Authentication will make|number (default to 1)| |ingress.kubernetes.io/auth-tls-verify-depth|The verification depth Certificate Authentication will make|number (default to 1)|
|ingress.kubernetes.io/auth-tls-verify-client|Enables verification of client certificates|string (default to on)|
|ingress.kubernetes.io/auth-tls-error-page|The page that user should be redirected in case of Auth error|string (default to empty| |ingress.kubernetes.io/auth-tls-error-page|The page that user should be redirected in case of Auth error|string (default to empty|
The following command instructs the controller to enable TLS authentication using the secret from the ``ingress.kubernetes.io/auth-tls-secret`` The following command instructs the controller to enable TLS authentication using the secret from the ``ingress.kubernetes.io/auth-tls-secret``

1
examples/auth/client-certs/nginx/nginx-tls-auth.yaml
View file

@ -5,6 +5,7 @@ metadata:
# Create this with kubectl create secret generic caingress --from-file=ca.crt --namespace=default # Create this with kubectl create secret generic caingress --from-file=ca.crt --namespace=default
ingress.kubernetes.io/auth-tls-secret: "default/caingress" ingress.kubernetes.io/auth-tls-secret: "default/caingress"
ingress.kubernetes.io/auth-tls-verify-depth: "3" ingress.kubernetes.io/auth-tls-verify-depth: "3"
ingress.kubernetes.io/auth-tls-verify-client: "on"
auth-tls-error-page: "http://www.mysite.com/error-cert.html" auth-tls-error-page: "http://www.mysite.com/error-cert.html"
kubernetes.io/ingress.class: "nginx" kubernetes.io/ingress.class: "nginx"
name: nginx-test name: nginx-test