72de2600d7
Multiple people within my work organisation were caught out by the fact that the trusted client cert issuers must be given in a file named `ca.crt` and that other filenames will fail to work. This change makes it more clear to those who stumble across the documentation that this is a potential gotcha.
31 lines
1.2 KiB
YAML
31 lines
1.2 KiB
YAML
apiVersion: extensions/v1beta1
|
|
kind: Ingress
|
|
metadata:
|
|
annotations:
|
|
# Enable client certificate authentication
|
|
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
|
|
# Create the secret containing the trusted ca certificates with `kubectl create secret generic auth-tls-chain --from-file=ca.crt --namespace=default`
|
|
# NB: The file _must_ be named "ca.crt" and nothing else. This filename is expected to be found in the secret.
|
|
nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-tls-chain"
|
|
# Specify the verification depth in the client certificates chain
|
|
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
|
|
# Specify an error page to be redirected to verification errors
|
|
nginx.ingress.kubernetes.io/auth-tls-error-page: "http://www.mysite.com/error-cert.html"
|
|
# Specify if certificates are passed to upstream server
|
|
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "false"
|
|
name: nginx-test
|
|
namespace: default
|
|
spec:
|
|
rules:
|
|
- host: ingress.test.com
|
|
http:
|
|
paths:
|
|
- backend:
|
|
serviceName: http-svc:80
|
|
servicePort: 80
|
|
path: /
|
|
tls:
|
|
- hosts:
|
|
- ingress.test.com
|
|
secretName: tls-secret
|
|
|