Skip to content

Commit a95499f

Browse files
lucacomelucacome
authored
Add IngressMTLS policy support
1 parent fd0eb74 commit a95499f

26 files changed

+1008
-42
lines changed

deployments/common/policy-definition.yaml

+10
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,16 @@ spec:
5353
type: array
5454
items:
5555
type: string
56+
ingressMTLS:
57+
description: IngressMTLS defines an Ingress MTLS policy.
58+
type: object
59+
properties:
60+
clientCertSecret:
61+
type: string
62+
verifyClient:
63+
type: string
64+
verifyDepth:
65+
type: integer
5666
jwt:
5767
description: JWTAuth holds JWT authentication configuration.
5868
type: object

deployments/helm-chart/crds/policy.yaml

+10
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,16 @@ spec:
5555
type: array
5656
items:
5757
type: string
58+
ingressMTLS:
59+
description: IngressMTLS defines an Ingress MTLS policy.
60+
type: object
61+
properties:
62+
clientCertSecret:
63+
type: string
64+
verifyClient:
65+
type: string
66+
verifyDepth:
67+
type: integer
5868
jwt:
5969
description: JWTAuth holds JWT authentication configuration.
6070
type: object

docs-web/configuration/policy-resource.md

+59-1
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ This document is the reference documentation for the Policy resource. An example
2020
- [RateLimit Merging Behavior](#ratelimit-merging-behavior)
2121
- [JWT](#jwt)
2222
- [JWT Merging Behavior](#jwt-merging-behavior)
23+
- [IngressMTLS](#ingressmtls)
24+
- [IngressMTLS Merging Behavior](#ingressmtls-merging-behavior)
2325
- [Using Policy](#using-policy)
2426
- [Validation](#validation)
2527
- [Structural Validation](#structural-validation)
@@ -59,10 +61,14 @@ spec:
5961
- The rate limit policy controls the rate of processing requests per a defined key.
6062
- `rateLimit <#ratelimit>`_
6163
- No*
62-
* - ``JWT``
64+
* - ``jwt``
6365
- The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens.
6466
- `jwt <#jwt>`_
6567
- No*
68+
* - ``ingressMTLS``
69+
- The IngressMTLS policy configures client certificate verification.
70+
- `ingressMTLS <#ingressmtls>`_
71+
- No*
6672
```
6773
6874
\* A policy must include exactly one policy.
@@ -244,6 +250,58 @@ policies:
244250
```
245251
In this example the Ingress Controller will use the configuration from the first policy reference `jwt-policy-one`, and ignores `jwt-policy-two`.
246252

253+
### IngressMTLS
254+
255+
The IngressMTLS policy configures client certificate verification.
256+
257+
For example, the following policy will verify a client certificate using the CA certificate specified in the `ingress-mtls-secret`:
258+
```yaml
259+
ingressMTLS:
260+
clientCertSecret: ingress-mtls-secret
261+
verifyClient: on
262+
verifyDepth: 1
263+
```
264+
265+
A VirtualServer that references an IngressMTLS policy must:
266+
* Enable [TLS termination](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserver-tls).
267+
* Reference the policy in the VirtualServer [`spec`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserver-specification). It is not allowed to reference an IngressMTLS policy in a [`route `](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserver-route) or in a VirtualServerRoute [`subroute`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroute-subroute).
268+
269+
If the conditions above are not met, NGINX will send `500` error response to clients.
270+
271+
> Note: The feature is implemented using the NGINX [ngx_http_ssl_module](https://nginx.org/en/docs/http/ngx_http_ssl_module.html).
272+
273+
```eval_rst
274+
.. list-table::
275+
:header-rows: 1
276+
277+
* - Field
278+
- Description
279+
- Type
280+
- Required
281+
* - ``clientCertSecret``
282+
- The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid.
283+
- ``string``
284+
- Yes
285+
* - ``verifyClient``
286+
- Verification for the client. Possible values are ``on``, ``off``, ``optional``, ``optional_no_ca``. The default is ``on``.
287+
- ``string``
288+
- No
289+
* - ``verifyDepth``
290+
- Sets the verification depth in the client certificates chain. The default is ``1``.
291+
- ``int``
292+
- No
293+
```
294+
295+
#### IngressMTLS Merging Behavior
296+
297+
A VirtualServer can reference only a single IngressMTLS policy. Every subsequent reference will be ignored. For example, here we reference two policies:
298+
```yaml
299+
policies:
300+
- name: ingress-mtls-policy-one
301+
- name: ingress-mtls-policy-two
302+
```
303+
In this example the Ingress Controller will use the configuration from the first policy reference `ingress-mtls-policy-one`, and ignores `ingress-mtls-policy-two`.
304+
247305
## Using Policy
248306

249307
You can use the usual `kubectl` commands to work with Policy resources, just as with built-in Kubernetes resources.

examples-of-custom-resources/ingress-mtls/README.md

+74
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
# Ingress MTLS
2+
3+
In this example, we deploy a web application, configure load balancing for it via a VirtualServer, and apply an Ingress MTLS policy.
4+
5+
## Prerequisites
6+
7+
1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller.
8+
1. Save the public IP address of the Ingress Controller into a shell variable:
9+
```
10+
$ IC_IP=XXX.YYY.ZZZ.III
11+
```
12+
1. Save the HTTP port of the Ingress Controller into a shell variable:
13+
```
14+
$ IC_HTTPS_PORT=<port number>
15+
```
16+
17+
## Step 1 - Deploy a Web Application
18+
19+
Create the application deployment and service:
20+
```
21+
$ kubectl apply -f webapp.yaml
22+
```
23+
24+
## Step 2 - Deploy the Ingress MLTS Secret
25+
26+
Create a secret with the name `ingress-mtls-secret` that will be used for Ingress MTLS validation:
27+
```
28+
$ kubectl apply -f ingress-mtls-secret.yaml
29+
```
30+
31+
## Step 3 - Deploy the Ingress MTLS Policy
32+
33+
Create a policy with the name `ingress-mtls-policy` that references the secret from the previous step:
34+
```
35+
$ kubectl apply -f ingress-mtls.yaml
36+
```
37+
38+
## Step 4 - Configure Load Balancing and TLS Termination
39+
1. Create the secret with the TLS certificate and key:
40+
```
41+
$ kubectl create -f tls-secret.yaml
42+
```
43+
44+
2. Create a VirtualServer resource for the web application:
45+
```
46+
$ kubectl apply -f virtual-server.yaml
47+
```
48+
49+
Note that the VirtualServer references the policy `ingress-mtls-policy` created in Step 3.
50+
51+
## Step 5 - Test the Configuration
52+
53+
If you attempt to access the application without providing a valid Client certificate and key, NGINX will reject your requests for that VirtualServer:
54+
```
55+
$ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP https://webapp.example.com:$IC_HTTPS_PORT/
56+
<html>
57+
<head><title>400 No required SSL certificate was sent</title></head>
58+
<body>
59+
<center><h1>400 Bad Request</h1></center>
60+
<center>No required SSL certificate was sent</center>
61+
<hr><center>nginx/1.19.1</center>
62+
</body>
63+
</html>
64+
```
65+
66+
If you provide a valid Client certificate and key, your request will succeed:
67+
```
68+
$ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP https://webapp.example.com:$IC_HTTPS_PORT/ --cert ./client-cert.pem --key ./client-key.pem
69+
Server address: 10.244.0.8:8080
70+
Server name: webapp-7c6d448df9-9ts8x
71+
Date: 23/Sep/2020:07:18:52 +0000
72+
URI: /
73+
Request ID: acb0f48057ccdfd250debe5afe58252a
74+
```

examples-of-custom-resources/ingress-mtls/client-cert.pem

+20
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-----BEGIN CERTIFICATE-----
2+
MIIDRDCCAiwCAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAlVTMQswCQYD
3+
VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEOMAwGA1UECgwFTkdJTlgx
4+
DDAKBgNVBAsMA0tJQzEWMBQGA1UEAwwNa2ljLm5naW54LmNvbTEjMCEGCSqGSIb3
5+
DQEJARYUa3ViZXJuZXRlc0BuZ2lueC5jb20wHhcNMjAwOTE4MjAyNzE1WhcNMzAw
6+
OTE2MjAyNzE1WjBCMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcM
7+
DVNhbiBGcmFuY2lzY28xDjAMBgNVBAoMBU5HSU5YMIIBIjANBgkqhkiG9w0BAQEF
8+
AAOCAQ8AMIIBCgKCAQEAskZK0jdmXZdjOngrtX07p7Z8xO8KiS2nGyxMMePSrjwC
9+
btNWXBj3E/fWTVZFzyZOzbmtCXH/7/u/pmz8pLxN/uYzGFMY3/Pes6DS655n2sud
10+
w+UUZAXAFY3w/y6bO35YY+KM3WmV7e26t09IRFafpQJ8cOK2t1U6qKnAMR32Fcd1
11+
UqGZbUWUmKs3idMvQKokCPuJX0UE91diz4nKPmhpTbTxfnQ8IsKzhUCmZtY5/eTq
12+
lB/2FHKPGpjGnUcuBC28Erew3xk8dL554XI++oAxjrnQbNQBu0/LXCbsvdf3IAJA
13+
7KxFbP5Ky66BVEZTnRl6ZAFOfQ/x5TisvmKpKGnWQwIDAQABMA0GCSqGSIb3DQEB
14+
CwUAA4IBAQAPIizrylHuoo/lQS6wJvw5J2F+2j308W/wIcCdaPUE7BMwKV/rwDbL
15+
eYWXdmp/9Str2JbrRpggh9/PFsOTGVWrX7jNYK/VCAwoPmczxPmmbPHgu90MPEMa
16+
iGLcTo3NG4IU6bMTFoDR9qkTte4cD9mexyFhEPDU5/uj02+kxU0IpGLhniXrRXbh
17+
I8iSAW6F2x1/pQcQSgsIkvef5t1RYOAapj/y9PLOE4dv7QMhgQpaKu0ASM9IeHz8
18+
uNSxlAvZeoQvJrFKGVLZlmM7SHC2p5rpJkMfjecpr6yHVGkkTnLXwOB2EFtcL0K+
19+
Sp83Sm5XIgP5KeC9F4H5JWI5vPQIYCPj
20+
-----END CERTIFICATE-----

examples-of-custom-resources/ingress-mtls/client-key.pem

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
-----BEGIN PRIVATE KEY-----
2+
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyRkrSN2Zdl2M6
3+
eCu1fTuntnzE7wqJLacbLEwx49KuPAJu01ZcGPcT99ZNVkXPJk7Nua0Jcf/v+7+m
4+
bPykvE3+5jMYUxjf896zoNLrnmfay53D5RRkBcAVjfD/Lps7flhj4ozdaZXt7bq3
5+
T0hEVp+lAnxw4ra3VTqoqcAxHfYVx3VSoZltRZSYqzeJ0y9AqiQI+4lfRQT3V2LP
6+
ico+aGlNtPF+dDwiwrOFQKZm1jn95OqUH/YUco8amMadRy4ELbwSt7DfGTx0vnnh
7+
cj76gDGOudBs1AG7T8tcJuy91/cgAkDsrEVs/krLroFURlOdGXpkAU59D/HlOKy+
8+
YqkoadZDAgMBAAECggEBAIqyvYuHppCyM3VOAVOWN09oXvIouB258wTlFfLKuSLt
9+
dUccDVhh4/kZHRXWRUHBIBZWmxV6KBFh391vdbAFAPmLx7zpCbVTWrSOLws5lrtX
10+
J0s9cvvOrX8Xi6Q9cnB6//HWVJn+h7Mw/c+YUzU338TVhlOdT2KbYKPQTcLo+Ig/
11+
9VbN6f8PBnORXATbNLBXL9fZY77UVBsz0ZuUrknL3psGG/W7ys/hEKNUAvvjamm9
12+
m4JIp4Be2VjrrygnlbMnVqWpak2ZKoc/vly0Mb1Be/jO79sY8ztTM16MbxKV8wXX
13+
6hvuwnvBLIroVPV3m0Z3DTZnNROs4UEdXGz/nFOj7EECgYEA4WE7jbSPs5ZEcssf
14+
pU18E5Xw7BZU6f1rOhwWJnPOPaAgynFXm+SzwqAmWGtXEChaXfAH2f6pi9MEtcFR
15+
lrRH3IrZ0VlJgI2hoNjhn5Es11/kCZ91wLMP8Zjtx4hUSblJSitc4yNIHOAB6cqp
16+
0sQ22UVdv2NvpPsTx30hBreUYxsCgYEAyn66QB0UuV9OnE5wvAoit2Kq4UkO26gL
17+
OTuA7Ov9W/vMjRgy74MlIVqGlNYXACfhze6Py94pw8xDOxMnd+NnTNF4nTFnlQUL
18+
lpiby/f664NkAI0ZGJVXaiv6W3VkzSyBvEYTUrsfeU/3D5sPjlUrEikUfTtQ3ezS
19+
d22o+c5mY/kCgYBBPoCa+RZQisOt55d1pwSwNsvTzHMweag83jybTRL7TAuyDzWp
20+
b3+KbAottoUxrDzczMu5E7vJOoE2jIwt8GqNMbT0ocBhcp7DjYVjSAePIbdGAd94
21+
tV18NyU+ify8iuLokb0GFASgN0jWgVDALwUhyK7m5MZBIF4Nde/Fngda2QKBgEje
22+
kefAj1SmF4PoNml0vEmCGDw6Lj6dmmxeHWclBWe0lUexDaNjblkyWnv1DxHfSELz
23+
NowGxsDPIOKBYhKiounh96WZwcy+pAztniMoegOGpNYN8JoIJAzxBocjF8M94PH/
24+
xbRf4lOlkyLqig6OV5GRdu4aCl/SeWrA6635uJ8BAoGAWDX26ve1vlX8frKtcdfP
25+
JZue3RdqfmD1uK6XQ2D+MtQc9M6WTD+vYZZRweFZ0W308fFHnIDli3qwWHUAX2HF
26+
LM7BW2EapaZ7NBkQvBo/fMUedrTOUIE867hgb8ujGYZPBKHIBwf2fVdsliMiyrpI
27+
n2TgZVY82cjWxA8olS8QcRA=
28+
-----END PRIVATE KEY-----

examples-of-custom-resources/ingress-mtls/ingress-mtls-secret.yaml

+7
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
kind: Secret
2+
metadata:
3+
name: ingress-mtls-secret
4+
apiVersion: v1
5+
type: Opaque
6+
data:
7+
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==

examples-of-custom-resources/ingress-mtls/ingress-mtls.yaml

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
apiVersion: k8s.nginx.org/v1alpha1
2+
kind: Policy
3+
metadata:
4+
name: ingress-mtls-policy
5+
spec:
6+
ingressMTLS:
7+
clientCertSecret: ingress-mtls-secret
8+
verifyClient: on
9+
verifyDepth: 1

examples-of-custom-resources/ingress-mtls/tls-secret.yaml

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
apiVersion: v1
2+
kind: Secret
3+
metadata:
4+
name: tls-secret
5+
type: Opaque
6+
data:
7+
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3SUJBZ0lVWU90ZXQ1cnpjd2pFMlo1QUQzQS9tdVJFVzRRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hURWJNQmtHQTFVRUF3d1NkMlZpWVhCd0xtVjRZVzF3YkdVdVkyOXRNQjRYRFRJd01Ea3lPVEl5TVRrMQpPVm9YRFRNd01Ea3lOekl5TVRrMU9Wb3dIVEViTUJrR0ExVUVBd3dTZDJWaVlYQndMbVY0WVcxd2JHVXVZMjl0Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeU5odlg5emoraGZvN0V2TzBsNlkKNzNUTGdMZEUzWWRGcURRT1RrL3JuajhzeWRPSUdrQ0IxR0VDcHAxcmc3bk9wTWVUNHovRlNsbzQ1TzJKWWRUNQplMC9YVWRkUk9JYytoS0V3NzNoejZjc2Fjd25NdjZzZWE2UDBSY1ZDQU1pdkZoeG9sWGRDUnlsZVdrVXczd29KClFRZFozNEZCQlFoVjFvMThHeGViWWFCTjF3bjMxdXZ4ZUxqMjVyQThKOUZjWElTQzJvMGpIZmZkSTFJamJjUHUKVlhJZkh0NFVMcHpnZlpQUVVnYzUrL3BkYVVRL0JHdkdiQ3o0cnBVbzhCQnQ2N0U5RlVoVE8vYnZnU1ljQ1A4dQpvTU9uY2hyNjZMSzJ3WE82ZWQyVHR4VmQySGJZRW5TRjFFZGRqZDdRQjJMUVoxUDJBbERBZll3YmZ3R3VMVGNhCjh3SURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVLOXlpL0tRQXp6SjRCcHdESndGTWF1cDJCREF3SHdZRFZSMGoKQkJnd0ZvQVVLOXlpL0tRQXp6SjRCcHdESndGTWF1cDJCREF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQWVuSFIybDJVNWdNQTMyek9YY2dDeTE0RXU3S2p3ayswRzFWbkNxU1IrMmhyCjdUSHVBVDRUSGpGYzFDWDQ4YXBiLzdwV3lJVlZoZ2IybXFMSDZTZlRWOEJtMEdLZUkyUU9VSVpZb2ZJeHZMeEMKRjRzd3FLVFc1SmgyUWJ2M3owN2hvTmpSZmR0WG1GS0pUWUZzS05WN3oyMVo4WWlFQ1o4NVMwRHpoU3BaSnk3MwpkdEV5NXlsVUZvb0JyeklzajFxRHlVZ2Zlck84TkZ3b2RlNDg4QThNMVNQNWZOOTBmSHZHRU9qRzdubG1IZDJJCkdvYkd2Z0kvT3l3RWVPMVFzdEFWckVtZVRvU0ZudStxZ09iUEpxRVFETExRS21SNkRNNzI5bkw4RXRIekZwTlkKZFcxeThRdkZxVm0yN1ZVdk8ybEduM0JUUmt0dWxSckJ3Sm9hQmF3TSt3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
8+
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREkyRzlmM09QNkYranMKUzg3U1hwanZkTXVBdDBUZGgwV29OQTVPVCt1ZVB5ekowNGdhUUlIVVlRS21uV3VEdWM2a3g1UGpQOFZLV2pqawo3WWxoMVBsN1Q5ZFIxMUU0aHo2RW9URHZlSFBweXhwekNjeS9xeDVyby9SRnhVSUF5SzhXSEdpVmQwSkhLVjVhClJURGZDZ2xCQjFuZmdVRUZDRlhXalh3YkY1dGhvRTNYQ2ZmVzYvRjR1UGJtc0R3bjBWeGNoSUxhalNNZDk5MGoKVWlOdHcrNVZjaDhlM2hRdW5PQjlrOUJTQnpuNytsMXBSRDhFYThac0xQaXVsU2p3RUczcnNUMFZTRk03OXUrQgpKaHdJL3k2Z3c2ZHlHdnJvc3JiQmM3cDUzWk8zRlYzWWR0Z1NkSVhVUjEyTjN0QUhZdEJuVS9ZQ1VNQjlqQnQvCkFhNHROeHJ6QWdNQkFBRUNnZ0VBZTJ5V05PRDNzRzhWRW5FYnJpZTM4QjlrRjd1SU5HSzJxY0Vqc1hobm9SM04KbGxISjUrZ1FZTVVrN2VMN2VUMnNBWk1zREpEWjJ2RksyVlFvQXRqd1g1a1hCeEk4dFhKWE53WWZubW4xUVkwdwp1ZFVoMy85MmVFdVBCM2xMTUZRalZJRXN1LzFIMjVkT2hrYlMyNTI5UmhzUVhjdCtlMnM5NU5XWm1NU1BGaFJuCnJMeFFpSzFiTWJxcHVHRlUzSXYwd3ZVd2dQdjFUQkhYSzAzOFZ0WGtMLzFpVVNLWVBJOHQ3QmUrUTI0cklsVXkKK01BQ3pPdWpabWduWXFpYUJ5ZFNJeDJRM3VtUTFyL2hOMG5FbkNMdnNRSVZiVlhpTFZvQkpzenJCMEgyREI2cQphR096WHlGeG1HQ2JkbWpCaTlwb1FybEtmR2JwdWpIYnJmNmU0MWRZVVFLQmdRRHlueXBxdmFZaExSTXMwZTVFClhHcStIZ2lLZnlWbnNYd2RMUWF3ajRHTkF1WEtpaXBvNU5nb3IyNFN4NGIzejNuZ1QxalprbE40VlpxcUNFQmYKMno4S2o4VWREVS9BRzZwaDhITSszUEtUWXNOcElWdi9SbSs4cktPbU9uSGZJaWpGNDdvU0dyT3RVWnVyY2xXZQpjMkZuaHhiTHdISnZHYzd2VDV6VDlNTFMvd0tCZ1FEVDY0N0Q1ZFpDTllQcytLNU9Ub1JFNFJIdlpMSUdUWHRwClZEa2Vjdis3aUxoNis3aTFHRjZuMTZ2cEJrSXRmOXUvRk9SRVpoM1lpQk5Fcy93bGl6NHRVNDhrbDQrRVNjYlcKdUh2ZVY1NktBUHI2UGM3ajBJK1lMSXdoTURqMXVPSnV2eW9iSFJZQlJPajVGd3YvUk81ME9LdytLdXpwV2s4QQoxY1FYakVHY0RRS0JnRTRUam5EZkt2RU9NbGVBRHk4TWxvVXI0US9BcnViWnBOazJ2aXBmWkE5ZTJWZitjbnRpCitYVE9UNXZYZmNXTmpPajBYK0ZVUjJ3NEVCZWJwQ3Uwd0dyRHJXa1YrWTRXMlJPL2J6YlJuM1p5bC9QaStsb0IKN3I5R3h6c2RIN3Z3b0RKZWdHaUhFejg1UGVGRVgrMG5zRGJDc0VGTll3WUJ4aWdZOUp6NDdTRTlBb0dCQUozZgpzM2kvSlpJbmVnTzA4MjNFMG9iWndWbTlnMTVzcEk3QVB0a3ZSTks1dE8xeHo1V2g5UXBIQW52VHZNTldxQ2MrCjhocitsQ2Qyb0J3amxhbUdoU2lSUW1jNVBhS0lyOGZRb2Y3dStWM0lBekVma0p4cENFQ09sMG8yT1lqZFZscTQKc1M2SHlaZmlkVWp6NFcwbk5obUJDdGc1ZEVzWGl4bU5Kc3VBSW5TVkFvR0FIY0J0UUZ2QW9vUTNjbDdMME5GVAo4c0cvR04wbnRGdXJveE5oTlhaS3hYMGYrUXBWcHJFaTlybU13WXE1WXc3Z2lqZWdNNURUbUdFcHIvc1FNZmUyCjZYbjU5NmlLSFZ4NCtBZE90dnc5NnhlTm56S2syOVdrTENzbG4vZ2lETWJCcHowNFhDZ1h3TitEZXg3emVHSGkKNXFpWlpJSlNlS0gvR3BWcno5MEE3eU09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K

examples-of-custom-resources/ingress-mtls/virtual-server.yaml

+18
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
apiVersion: k8s.nginx.org/v1
2+
kind: VirtualServer
3+
metadata:
4+
name: webapp
5+
spec:
6+
host: webapp.example.com
7+
tls:
8+
secret: tls-secret
9+
policies:
10+
- name: ingress-mtls-policy
11+
upstreams:
12+
- name: webapp
13+
service: webapp-svc
14+
port: 80
15+
routes:
16+
- path: /
17+
action:
18+
pass: webapp

examples-of-custom-resources/ingress-mtls/webapp.yaml

+32
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
apiVersion: apps/v1
2+
kind: Deployment
3+
metadata:
4+
name: webapp
5+
spec:
6+
replicas: 1
7+
selector:
8+
matchLabels:
9+
app: webapp
10+
template:
11+
metadata:
12+
labels:
13+
app: webapp
14+
spec:
15+
containers:
16+
- name: webapp
17+
image: nginxdemos/nginx-hello:plain-text
18+
ports:
19+
- containerPort: 8080
20+
---
21+
apiVersion: v1
22+
kind: Service
23+
metadata:
24+
name: webapp-svc
25+
spec:
26+
ports:
27+
- port: 80
28+
targetPort: 8080
29+
protocol: TCP
30+
name: http
31+
selector:
32+
app: webapp

0 commit comments

Comments
 (0)