We have nginx ingress to control https service and forward to backend in kubernetes. We want some thing like domain abc.com should use "abc.com" 's certificate and domain xyz.com should use "xyz.com" 's certificate.
Step 1: Create TLS Secrets
Anytime we reference a TLS secret, we mean a PEM-encoded X.509, RSA (2048) secret.
You can generate a self-signed certificate and private key with:
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout abc.key -out abc.cer -subj "/CN=abc.com/O=abc.com"
Then create the secret in the cluster via:
$kubectl create secret tls abc --key abc.key --cert abc.cer
The resulting secret will be of type kubernetes.io/tls.
We add same tls for xyz.com domain.
Step 2: Add ingress resource
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
annotations:
# Enable client certificate authentication
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
# Create the secret containing the trusted ca certificates
nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
# Specify the verification depth in the client certificates chain
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
# Specify an error page to be redirected to verification errors
nginx.ingress.kubernetes.io/auth-tls-error-page: "http://www.mysite.com/error-cert.html"
# Specify if certificates are passed to upstream server
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
name: nginx-test
namespace: default
spec:
rules:
- host: abc.com
http:
paths:
- backend:
serviceName: http-svc
servicePort: 80
path: /
tls:
- hosts:
- abc.com
secretName: abcRef: https://kubernetes.github.io/ingress-nginx/examples/auth/client-certs/
No comments:
Post a Comment