-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using auth-tls-secret, ssl_verify_depth might also be needed #110
Comments
While we're on the subject (i wasn't able to get this to work yet with the native ingress annotations - it seems like this is not officially supported yet) i'd like to configure @euank - do you know what key in the secret needs to contain the CA chain? I tried getting it to work with |
@pieterlange you need to specify one secret with 3 keys:
I need to add an example (before the release) |
I know - my problem here is that i'm actually validating the client certs against a different CA then is configured at the TLS section of the ingress - so i'm unsure what to add in the |
@pieterlange I'm using this currently and it's working for me. I entered the same values for tls.crt and tls.key as ca.crt. I'm also using a separate secret for tls auth with different certs. tls.crt and tls.key are ignored. The only change I had to make was the verify depth (which I just hardcoded over here: https://github.com/euank/ingress/tree/verify-depth-2). My ingress looks something like this: apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: test-ingress-auth
annotations:
ingress.kubernetes.io/auth-tls-secret: "default/auth-ca-chain"
spec:
tls:
- hosts:
- test.auth.host
secretName: test.auth.host-le-cert
rules:
- host: test.auth.host
http:
paths:
- path: "/"
backend:
serviceName: echoheaders-x
servicePort: 80 And then my secret: apiVersion: v1
kind: Secret
metadata:
name: auth-ca-chain
data:
tls.key: $data
tls.crt: $data
ca.crt: $data Where my $data is a base64 encoding of
|
I don't know if this is a good behaviour, of setting tls.key and tls.crt also for a secret containing only CAs accepted in mutual authentication. Maybe using a separate opaque secret wouldn't be better? |
Hi @euank
Was the "ca.crt" the root CA, and tls.key and tls.crt the intermediate one? Or did you combine into the ca.crt both the root and intermediate CA? Thanks! |
The
ssl_verify_depth
option will have to be set for many configurations. Typically, it should be set to a value equal to the length of the certificate chain.The default of 1 works fine if the certificate infrastructure only includes a root + client certs.
However, many configurations will include a root and intermediate and sign client certs with the intermediate. In that case, the default of 1 will result in an unworking setup.
I think our options are:
1 seems like a good idea. There might be some configurations where this new proposed default ends up being wrong and we obviously need to be careful about fiddling with client-cert related options, but none come to mind immediately.
The text was updated successfully, but these errors were encountered: