NGINX 入口控制器、SSL 和 optional_no_ca
[英]NGINX Ingress controller, SSL and optional_no_ca
问题描述
I have obtained a cert from name.com.
我已经从 name.com 获得了证书。
➜ tree .
.
├── ca.crt
├── vpk.crt
├── vpk.csr
└── vpk.key
How I created the secrets我是如何创造秘密的
I added ca.crt content at the end of vpk.crt file.我在 vpk.crt 文件的末尾添加了 ca.crt 内容。
(⎈ | vpk-dev-eks:argocd)
➜ k create secret tls tls-secret --cert=vpk.crt --key=vpk.key --dry-run -o yaml | kubectl apply -f -
(⎈ | vpk-dev-eks:argocd)
➜ kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt --dry-run -o yaml | kubectl apply -f -
This is my ingress:这是我的入口:
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: websockets-ingress
namespace: development
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional_no_ca"
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/auth-tls-secret: "development/ca-secret"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
# Specify if certificates are passed to upstream server
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
argocd.argoproj.io/sync-wave: "10"
spec:
tls:
- hosts:
- backend-dev.project.com
secretName: tls-secret
rules:
- host: backend-dev.project.com
http:
paths:
- path: /ws/
backend:
serviceName: websockets-service
servicePort: 443
The cert is properly validated, I can connect via various CLI WebSocket clients and https://www.ssllabs.com/ssltest gives me "A+"证书经过正确验证,我可以通过各种 CLI WebSocket 客户端进行连接,并且https://www.ssllabs.com/ssltest给了我“A+”
However if I set但是,如果我设置
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
then everything stops working and I get 400 error on the nginx ingress controller side (POD logs).然后一切都停止工作,我在 nginx 入口控制器端(POD 日志)收到 400 错误。
I am confused from the official docs:我对官方文档感到困惑:
The optional_no_ca parameter (1.3.8, 1.2.5) requests the client certificate but does not require it to be signed by a trusted CA certificate. optional_no_ca 参数(1.3.8、1.2.5)请求客户端证书,但不要求它由受信任的 CA 证书签名。 This is intended for the use in cases when a service that is external to nginx performs the actual certificate verification.这适用于 nginx 外部服务执行实际证书验证的情况。 The contents of the certificate is accessible through the $ssl_client_cert variable.证书的内容可通过 $ssl_client_cert 变量访问。
So what exactly "optional_no_ca" is doing and why "on" fails the requests?那么“optional_no_ca”究竟在做什么,为什么“on”请求失败?
1 个解决方案
解决方案1
2 已采纳 2021-06-09 04:00:25
Optional_no_ca does the optional client certificate validation and it does not fail the request when the client certificate is not signed by the CAs from auth-tls-secret . Optional_no_ca执行可选的客户端证书验证,并且当客户端证书不是来自auth-tls-secret的 CA 签名时,它不会使请求失败。 Even after specifying the optional_no_ca parameter, it is necessary to provide the client certificate.即使指定了 optional_no_ca 参数,也需要提供客户端证书。 As mentioned in the document 1 , the actual certificate verification is done when the service is external to Nginx.如文档1中所述,当服务在 Nginx 外部时,会进行实际的证书验证。
When you set nginx.ingress.kubernetes.io/auth-tls-verify-client:on , it requests a client certificate that must be signed by a certificate that is included in the secret key ca.crt of the secret specified by nginx.ingress.kubernetes.io/auth-tls-secret: secretName .当您设置nginx.ingress.kubernetes.io/auth-tls-verify-client:on 时,它会请求一个客户端证书,该证书必须由包含在nginx指定的密钥的密钥ca.crt中的证书签名。 ingress.kubernetes.io/auth-tls-secret: secretName 。
If not so, then certificate verification will fail and result in a status code 400 (Bad Request).如果不是这样,则证书验证将失败并导致状态代码 400(错误请求)。 Check this for further information.检查此以获取更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.