Enabling client certificate passthrough without validation

4/8/2019

I'm trying to configure nginx-ingress for Kubernetes so that client certificate is passed on to backend service without validation.

Due to customer requests we are using client certificates for authentication but the certificates are not signed by the server and as such it's not really our job to validate the certificate, only to check that it is on the allowed certificates list.

Things work well on our test server where we use certificates signed by the servers CA certificate but after setting

nginx.ingress.kubernetes.io/auth-tls-verify-client: "off"

the client certificate is no longer forwarded in request header even though we still have

nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"

Does nginx-ingress even allow passing through client certificates without validation?

I expected that disabling auth-tls-verify-client would just stop nginx-ingress from validating the certificate signature and still pass it through, but instead it disappeared from the request.

-- Lasse Kulmala
kubernetes
nginx-ingress

0 Answers