Skip to content

Add IngressMTLS policy support #1166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Oct 1, 2020
Merged

Add IngressMTLS policy support #1166

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f6c9206
Add IngressMTLS policy support
lucacome Sep 20, 2020
91abc35
Apply suggestions from code review
lucacome Sep 30, 2020
261285a
Apply suggestions from code review
lucacome Sep 30, 2020
b92dc96
Apply suggestions from code review
lucacome Sep 30, 2020
cb145d5
fix subroute
lucacome Oct 1, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions deployments/common/policy-definition.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,16 @@ spec:
type: array
items:
type: string
ingressMTLS:
description: IngressMTLS defines an Ingress MTLS policy.
type: object
properties:
clientCertSecret:
type: string
verifyClient:
type: string
verifyDepth:
type: integer
jwt:
description: JWTAuth holds JWT authentication configuration.
type: object
Expand Down
10 changes: 10 additions & 0 deletions deployments/helm-chart/crds/policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,16 @@ spec:
type: array
items:
type: string
ingressMTLS:
description: IngressMTLS defines an mTLS policy for the ingress side.
type: object
properties:
clientCertSecret:
type: string
verifyClient:
type: string
verifyDepth:
type: integer
jwt:
description: JWTAuth holds JWT authentication configuration.
type: object
Expand Down
52 changes: 52 additions & 0 deletions docs-web/configuration/policy-resource.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ This document is the reference documentation for the Policy resource. An example
- [RateLimit Merging Behavior](#ratelimit-merging-behavior)
- [JWT](#jwt)
- [JWT Merging Behavior](#jwt-merging-behavior)
- [IngressMTLS](#ingressmtls)
- [IngressMTLS Merging Behavior](#ingressmtls-merging-behavior)
- [Using Policy](#using-policy)
- [Validation](#validation)
- [Structural Validation](#structural-validation)
Expand Down Expand Up @@ -63,6 +65,10 @@ spec:
- The JWT policy configures NGINX Plus to authenticate client requests using JSON Web Tokens.
- `jwt <#jwt>`_
- No*
* - ``IngressMTLS``
- The IngressMTLS policy controls client verification.
- `ingressMTLS <#ingressmtls>`_
- No*
```

\* A policy must include exactly one policy.
Expand Down Expand Up @@ -244,6 +250,52 @@ policies:
```
In this example the Ingress Controller will use the configuration from the first policy reference `jwt-policy-one`, and ignores `jwt-policy-two`.

### IngressMTLS

The IngressMTLS policy controls client validation.

For example, the following policy will verify a client using the CA certificate specified in the `ingress-mtls-secret`:
```yaml
ingressMTLS:
clientCertSecret: ingress-mtls-secret
verifyClient: "on"
verifyDepth: 1
```

> Note: The feature is implemented using the NGINX [ngx_http_ssl_module](https://nginx.org/en/docs/http/ngx_http_ssl_module.html).

```eval_rst
.. list-table::
:header-rows: 1

* - Field
- Description
- Type
- Required
* - ``clientCertSecret``
- The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid.
- ``string``
- Yes
* - ``verifyClient``
- Verification for the client. Possible values are ``on``, ``off``, ``optional``, ``optional_no_ca``
- ``string``
- No
* - ``verifyDepth``
- Sets the verification depth in the client certificates chain.
- ``int``
- No
```

#### IngressMTLS Merging Behavior

A VirtualServer/VirtualServerRoute can reference multiple IngressMTLS policies. However, only one can be applied. Every subsequent reference will be ignored. For example, here we reference two policies:
```yaml
policies:
- name: ingress-mtls-policy-one
- name: ingress-mtls-policy-two
```
In this example the Ingress Controller will use the configuration from the first policy reference `ingress-mtls-policy-one`, and ignores `ingress-mtls-policy-two`.

## Using Policy

You can use the usual `kubectl` commands to work with Policy resources, just as with built-in Kubernetes resources.
Expand Down
74 changes: 74 additions & 0 deletions examples-of-custom-resources/ingress-mtls/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Ingress MTLS

In this example, we deploy a web application, configure load balancing for it via a VirtualServer, and apply an Ingress MTLS policy.

## Prerequisites

1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller.
1. Save the public IP address of the Ingress Controller into a shell variable:
```
$ IC_IP=XXX.YYY.ZZZ.III
```
1. Save the HTTP port of the Ingress Controller into a shell variable:
```
$ IC_HTTP_PORTS=<port number>
```

## Step 1 - Deploy a Web Application

Create the application deployment and service:
```
$ kubectl apply -f webapp.yaml
```

## Step 2 - Deploy the Ingress MLTS Secret

Create a secret with the name `ingress-mtls-secret` that will be used for Ingress MTLS validation:
```
$ kubectl apply -f ingress-mtls-secret.yaml
```

## Step 3 - Deploy the Ingress MTLS Policy

Create a policy with the name `ingress-mtls-policy` that references the secret from the previous step:
```
$ kubectl apply -f ingress-mtls.yaml
```

## Step 4 - Configure Load Balancing and TLS Termination
1. Create the secret with the TLS certificate and key:
```
$ kubectl create -f tls-secret.yaml
```

2. Create a VirtualServer resource for the web application:
```
$ kubectl apply -f virtual-server.yaml
```

Note that the VirtualServer references the policy `ingress-mtls-policy` created in Step 3.

## Step 5 - Test the Configuration

If you attempt to access the application without providing a valid Client certificate and key, NGINX will reject your requests for that VirtualServer:
```
$ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP https://webapp.example.com:$IC_HTTPS_PORT/
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.19.1</center>
</body>
</html>
```

If you provide a valid Client certificate and key, your request will succeed:
```
$ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP https://webapp.example.com:$IC_HTTPS_PORT/ --cert ./client-cert.pem --key ./client-key.pem
Server address: 10.244.0.8:8080
Server name: webapp-7c6d448df9-9ts8x
Date: 23/Sep/2020:07:18:52 +0000
URI: /
Request ID: acb0f48057ccdfd250debe5afe58252a
```
20 changes: 20 additions & 0 deletions examples-of-custom-resources/ingress-mtls/client-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDRDCCAiwCAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAlVTMQswCQYD
VQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEOMAwGA1UECgwFTkdJTlgx
DDAKBgNVBAsMA0tJQzEWMBQGA1UEAwwNa2ljLm5naW54LmNvbTEjMCEGCSqGSIb3
DQEJARYUa3ViZXJuZXRlc0BuZ2lueC5jb20wHhcNMjAwOTE4MjAyNzE1WhcNMzAw
OTE2MjAyNzE1WjBCMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcM
DVNhbiBGcmFuY2lzY28xDjAMBgNVBAoMBU5HSU5YMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAskZK0jdmXZdjOngrtX07p7Z8xO8KiS2nGyxMMePSrjwC
btNWXBj3E/fWTVZFzyZOzbmtCXH/7/u/pmz8pLxN/uYzGFMY3/Pes6DS655n2sud
w+UUZAXAFY3w/y6bO35YY+KM3WmV7e26t09IRFafpQJ8cOK2t1U6qKnAMR32Fcd1
UqGZbUWUmKs3idMvQKokCPuJX0UE91diz4nKPmhpTbTxfnQ8IsKzhUCmZtY5/eTq
lB/2FHKPGpjGnUcuBC28Erew3xk8dL554XI++oAxjrnQbNQBu0/LXCbsvdf3IAJA
7KxFbP5Ky66BVEZTnRl6ZAFOfQ/x5TisvmKpKGnWQwIDAQABMA0GCSqGSIb3DQEB
CwUAA4IBAQAPIizrylHuoo/lQS6wJvw5J2F+2j308W/wIcCdaPUE7BMwKV/rwDbL
eYWXdmp/9Str2JbrRpggh9/PFsOTGVWrX7jNYK/VCAwoPmczxPmmbPHgu90MPEMa
iGLcTo3NG4IU6bMTFoDR9qkTte4cD9mexyFhEPDU5/uj02+kxU0IpGLhniXrRXbh
I8iSAW6F2x1/pQcQSgsIkvef5t1RYOAapj/y9PLOE4dv7QMhgQpaKu0ASM9IeHz8
uNSxlAvZeoQvJrFKGVLZlmM7SHC2p5rpJkMfjecpr6yHVGkkTnLXwOB2EFtcL0K+
Sp83Sm5XIgP5KeC9F4H5JWI5vPQIYCPj
-----END CERTIFICATE-----
28 changes: 28 additions & 0 deletions examples-of-custom-resources/ingress-mtls/client-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyRkrSN2Zdl2M6
eCu1fTuntnzE7wqJLacbLEwx49KuPAJu01ZcGPcT99ZNVkXPJk7Nua0Jcf/v+7+m
bPykvE3+5jMYUxjf896zoNLrnmfay53D5RRkBcAVjfD/Lps7flhj4ozdaZXt7bq3
T0hEVp+lAnxw4ra3VTqoqcAxHfYVx3VSoZltRZSYqzeJ0y9AqiQI+4lfRQT3V2LP
ico+aGlNtPF+dDwiwrOFQKZm1jn95OqUH/YUco8amMadRy4ELbwSt7DfGTx0vnnh
cj76gDGOudBs1AG7T8tcJuy91/cgAkDsrEVs/krLroFURlOdGXpkAU59D/HlOKy+
YqkoadZDAgMBAAECggEBAIqyvYuHppCyM3VOAVOWN09oXvIouB258wTlFfLKuSLt
dUccDVhh4/kZHRXWRUHBIBZWmxV6KBFh391vdbAFAPmLx7zpCbVTWrSOLws5lrtX
J0s9cvvOrX8Xi6Q9cnB6//HWVJn+h7Mw/c+YUzU338TVhlOdT2KbYKPQTcLo+Ig/
9VbN6f8PBnORXATbNLBXL9fZY77UVBsz0ZuUrknL3psGG/W7ys/hEKNUAvvjamm9
m4JIp4Be2VjrrygnlbMnVqWpak2ZKoc/vly0Mb1Be/jO79sY8ztTM16MbxKV8wXX
6hvuwnvBLIroVPV3m0Z3DTZnNROs4UEdXGz/nFOj7EECgYEA4WE7jbSPs5ZEcssf
pU18E5Xw7BZU6f1rOhwWJnPOPaAgynFXm+SzwqAmWGtXEChaXfAH2f6pi9MEtcFR
lrRH3IrZ0VlJgI2hoNjhn5Es11/kCZ91wLMP8Zjtx4hUSblJSitc4yNIHOAB6cqp
0sQ22UVdv2NvpPsTx30hBreUYxsCgYEAyn66QB0UuV9OnE5wvAoit2Kq4UkO26gL
OTuA7Ov9W/vMjRgy74MlIVqGlNYXACfhze6Py94pw8xDOxMnd+NnTNF4nTFnlQUL
lpiby/f664NkAI0ZGJVXaiv6W3VkzSyBvEYTUrsfeU/3D5sPjlUrEikUfTtQ3ezS
d22o+c5mY/kCgYBBPoCa+RZQisOt55d1pwSwNsvTzHMweag83jybTRL7TAuyDzWp
b3+KbAottoUxrDzczMu5E7vJOoE2jIwt8GqNMbT0ocBhcp7DjYVjSAePIbdGAd94
tV18NyU+ify8iuLokb0GFASgN0jWgVDALwUhyK7m5MZBIF4Nde/Fngda2QKBgEje
kefAj1SmF4PoNml0vEmCGDw6Lj6dmmxeHWclBWe0lUexDaNjblkyWnv1DxHfSELz
NowGxsDPIOKBYhKiounh96WZwcy+pAztniMoegOGpNYN8JoIJAzxBocjF8M94PH/
xbRf4lOlkyLqig6OV5GRdu4aCl/SeWrA6635uJ8BAoGAWDX26ve1vlX8frKtcdfP
JZue3RdqfmD1uK6XQ2D+MtQc9M6WTD+vYZZRweFZ0W308fFHnIDli3qwWHUAX2HF
LM7BW2EapaZ7NBkQvBo/fMUedrTOUIE867hgb8ujGYZPBKHIBwf2fVdsliMiyrpI
n2TgZVY82cjWxA8olS8QcRA=
-----END PRIVATE KEY-----
7 changes: 7 additions & 0 deletions examples-of-custom-resources/ingress-mtls/ingress-mtls-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
kind: Secret
metadata:
name: ingress-mtls-secret
apiVersion: v1
type: Opaque
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
9 changes: 9 additions & 0 deletions examples-of-custom-resources/ingress-mtls/ingress-mtls.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: k8s.nginx.org/v1alpha1
kind: Policy
metadata:
name: ingress-mtls-policy
spec:
ingressMTLS:
clientCertSecret: ingress-mtls-secret
verifyClient: "on"
verifyDepth: 1
8 changes: 8 additions & 0 deletions examples-of-custom-resources/ingress-mtls/tls-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: Opaque
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3SUJBZ0lVWU90ZXQ1cnpjd2pFMlo1QUQzQS9tdVJFVzRRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hURWJNQmtHQTFVRUF3d1NkMlZpWVhCd0xtVjRZVzF3YkdVdVkyOXRNQjRYRFRJd01Ea3lPVEl5TVRrMQpPVm9YRFRNd01Ea3lOekl5TVRrMU9Wb3dIVEViTUJrR0ExVUVBd3dTZDJWaVlYQndMbVY0WVcxd2JHVXVZMjl0Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeU5odlg5emoraGZvN0V2TzBsNlkKNzNUTGdMZEUzWWRGcURRT1RrL3JuajhzeWRPSUdrQ0IxR0VDcHAxcmc3bk9wTWVUNHovRlNsbzQ1TzJKWWRUNQplMC9YVWRkUk9JYytoS0V3NzNoejZjc2Fjd25NdjZzZWE2UDBSY1ZDQU1pdkZoeG9sWGRDUnlsZVdrVXczd29KClFRZFozNEZCQlFoVjFvMThHeGViWWFCTjF3bjMxdXZ4ZUxqMjVyQThKOUZjWElTQzJvMGpIZmZkSTFJamJjUHUKVlhJZkh0NFVMcHpnZlpQUVVnYzUrL3BkYVVRL0JHdkdiQ3o0cnBVbzhCQnQ2N0U5RlVoVE8vYnZnU1ljQ1A4dQpvTU9uY2hyNjZMSzJ3WE82ZWQyVHR4VmQySGJZRW5TRjFFZGRqZDdRQjJMUVoxUDJBbERBZll3YmZ3R3VMVGNhCjh3SURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVLOXlpL0tRQXp6SjRCcHdESndGTWF1cDJCREF3SHdZRFZSMGoKQkJnd0ZvQVVLOXlpL0tRQXp6SjRCcHdESndGTWF1cDJCREF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQWVuSFIybDJVNWdNQTMyek9YY2dDeTE0RXU3S2p3ayswRzFWbkNxU1IrMmhyCjdUSHVBVDRUSGpGYzFDWDQ4YXBiLzdwV3lJVlZoZ2IybXFMSDZTZlRWOEJtMEdLZUkyUU9VSVpZb2ZJeHZMeEMKRjRzd3FLVFc1SmgyUWJ2M3owN2hvTmpSZmR0WG1GS0pUWUZzS05WN3oyMVo4WWlFQ1o4NVMwRHpoU3BaSnk3MwpkdEV5NXlsVUZvb0JyeklzajFxRHlVZ2Zlck84TkZ3b2RlNDg4QThNMVNQNWZOOTBmSHZHRU9qRzdubG1IZDJJCkdvYkd2Z0kvT3l3RWVPMVFzdEFWckVtZVRvU0ZudStxZ09iUEpxRVFETExRS21SNkRNNzI5bkw4RXRIekZwTlkKZFcxeThRdkZxVm0yN1ZVdk8ybEduM0JUUmt0dWxSckJ3Sm9hQmF3TSt3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREkyRzlmM09QNkYranMKUzg3U1hwanZkTXVBdDBUZGgwV29OQTVPVCt1ZVB5ekowNGdhUUlIVVlRS21uV3VEdWM2a3g1UGpQOFZLV2pqawo3WWxoMVBsN1Q5ZFIxMUU0aHo2RW9URHZlSFBweXhwekNjeS9xeDVyby9SRnhVSUF5SzhXSEdpVmQwSkhLVjVhClJURGZDZ2xCQjFuZmdVRUZDRlhXalh3YkY1dGhvRTNYQ2ZmVzYvRjR1UGJtc0R3bjBWeGNoSUxhalNNZDk5MGoKVWlOdHcrNVZjaDhlM2hRdW5PQjlrOUJTQnpuNytsMXBSRDhFYThac0xQaXVsU2p3RUczcnNUMFZTRk03OXUrQgpKaHdJL3k2Z3c2ZHlHdnJvc3JiQmM3cDUzWk8zRlYzWWR0Z1NkSVhVUjEyTjN0QUhZdEJuVS9ZQ1VNQjlqQnQvCkFhNHROeHJ6QWdNQkFBRUNnZ0VBZTJ5V05PRDNzRzhWRW5FYnJpZTM4QjlrRjd1SU5HSzJxY0Vqc1hobm9SM04KbGxISjUrZ1FZTVVrN2VMN2VUMnNBWk1zREpEWjJ2RksyVlFvQXRqd1g1a1hCeEk4dFhKWE53WWZubW4xUVkwdwp1ZFVoMy85MmVFdVBCM2xMTUZRalZJRXN1LzFIMjVkT2hrYlMyNTI5UmhzUVhjdCtlMnM5NU5XWm1NU1BGaFJuCnJMeFFpSzFiTWJxcHVHRlUzSXYwd3ZVd2dQdjFUQkhYSzAzOFZ0WGtMLzFpVVNLWVBJOHQ3QmUrUTI0cklsVXkKK01BQ3pPdWpabWduWXFpYUJ5ZFNJeDJRM3VtUTFyL2hOMG5FbkNMdnNRSVZiVlhpTFZvQkpzenJCMEgyREI2cQphR096WHlGeG1HQ2JkbWpCaTlwb1FybEtmR2JwdWpIYnJmNmU0MWRZVVFLQmdRRHlueXBxdmFZaExSTXMwZTVFClhHcStIZ2lLZnlWbnNYd2RMUWF3ajRHTkF1WEtpaXBvNU5nb3IyNFN4NGIzejNuZ1QxalprbE40VlpxcUNFQmYKMno4S2o4VWREVS9BRzZwaDhITSszUEtUWXNOcElWdi9SbSs4cktPbU9uSGZJaWpGNDdvU0dyT3RVWnVyY2xXZQpjMkZuaHhiTHdISnZHYzd2VDV6VDlNTFMvd0tCZ1FEVDY0N0Q1ZFpDTllQcytLNU9Ub1JFNFJIdlpMSUdUWHRwClZEa2Vjdis3aUxoNis3aTFHRjZuMTZ2cEJrSXRmOXUvRk9SRVpoM1lpQk5Fcy93bGl6NHRVNDhrbDQrRVNjYlcKdUh2ZVY1NktBUHI2UGM3ajBJK1lMSXdoTURqMXVPSnV2eW9iSFJZQlJPajVGd3YvUk81ME9LdytLdXpwV2s4QQoxY1FYakVHY0RRS0JnRTRUam5EZkt2RU9NbGVBRHk4TWxvVXI0US9BcnViWnBOazJ2aXBmWkE5ZTJWZitjbnRpCitYVE9UNXZYZmNXTmpPajBYK0ZVUjJ3NEVCZWJwQ3Uwd0dyRHJXa1YrWTRXMlJPL2J6YlJuM1p5bC9QaStsb0IKN3I5R3h6c2RIN3Z3b0RKZWdHaUhFejg1UGVGRVgrMG5zRGJDc0VGTll3WUJ4aWdZOUp6NDdTRTlBb0dCQUozZgpzM2kvSlpJbmVnTzA4MjNFMG9iWndWbTlnMTVzcEk3QVB0a3ZSTks1dE8xeHo1V2g5UXBIQW52VHZNTldxQ2MrCjhocitsQ2Qyb0J3amxhbUdoU2lSUW1jNVBhS0lyOGZRb2Y3dStWM0lBekVma0p4cENFQ09sMG8yT1lqZFZscTQKc1M2SHlaZmlkVWp6NFcwbk5obUJDdGc1ZEVzWGl4bU5Kc3VBSW5TVkFvR0FIY0J0UUZ2QW9vUTNjbDdMME5GVAo4c0cvR04wbnRGdXJveE5oTlhaS3hYMGYrUXBWcHJFaTlybU13WXE1WXc3Z2lqZWdNNURUbUdFcHIvc1FNZmUyCjZYbjU5NmlLSFZ4NCtBZE90dnc5NnhlTm56S2syOVdrTENzbG4vZ2lETWJCcHowNFhDZ1h3TitEZXg3emVHSGkKNXFpWlpJSlNlS0gvR3BWcno5MEE3eU09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
18 changes: 18 additions & 0 deletions examples-of-custom-resources/ingress-mtls/virtual-server.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: webapp
spec:
host: webapp.example.com
tls:
secret: tls-secret
policies:
- name: ingress-mtls-policy
upstreams:
- name: webapp
service: webapp-svc
port: 80
routes:
- path: /
action:
pass: webapp
32 changes: 32 additions & 0 deletions examples-of-custom-resources/ingress-mtls/webapp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 1
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
containers:
- name: webapp
image: nginxdemos/nginx-hello:plain-text
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: webapp-svc
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: webapp
Loading