I'm trying to use kubernetes ingress annotation rules in order to enable X509 authentication. My ingress yaml file is defined below:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: bdf-opengie-test
name: keycloak-opengie-test-ssl
labels:
app: keycloak-opengie
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
rules:
- host: keycloak-opengie-test-ssl.bdf-clu4.paas.eclair.local
http:
paths:
- path: /
backend:
serviceName: keycloak-opengie
servicePort: http
tls:
- hosts:
- keycloak-opengie-test-ssl.bdf-clu4.paas.eclair.localWhen I invoke my application url, I'm expecting to see a popup requesting for a certificate, but nothing happens. It seems like the annotations has no effect in the ingress definition. Can someone tell me what's going wrong in my ingress definition. I'm using Nginx Ingress: 0.15.0 and Kubernetes 1.10.5
ingress:
hostname: id.login.example.com
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: "more_clear_input_headers \"x-forwarded-client-cert\";\n more_set_input_headers \"x-forwarded-client-cert: $ssl_client_cert\";\n"
nginx.ingress.kubernetes.io/server-snippet: |
ssl_verify_client on;
ssl_client_certificate /etc/nginx/truststore-development.crt;
ssl_verify_depth 2;
ssl_session_cache off;First of all you are missing the secret with SSL files issued for your domain. (if we are talking about a native k8s secret management) You secret should be created by:
kubectl --namespace bdf-opengie-test create secret tls <secret_name> --key <key_path> --cert <cert_path>Then your Ingress .yml file should contain this secret:
...
tls:
- hosts:
- keycloak-opengie-test-ssl.<domain>
secretName: <secret_name>Only after this you can think about any annotations for auth or something else which is not working
Note: the secret is a namespaced object.