Ingress-nginx: https ca annotation

Created on 3 Oct 2017 · 26Comments · Source: kubernetes/ingress-nginx

I see a case where the ingress provider (me) is separate from my users (namespaced), where they should manage their own ca, and through their particular ingress rules, specify what ca they signed their backends with. This means I don't need to give them my org's wildcard certs. When there are multiple distinct users (namespaces), there may be multiple ca's involved and rebuilding an ingress to on board new users would be a heavy lift.

looks like nginx supports overriding a particular proxies ca: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate

So we'd need an annotation like: "ingress.kubernetes.io/secure-backend-ca" which would point to a configmap with a ca.pem in it. The ingress controller would download that configmap's ca.pem, place it somewhere nginx could get to, and override the proxy_ssl_certificate option on that ingress to point to the file.

help wanted kinfeature lifecyclrotten nginx

Source

kfox1111

Most helpful comment

I would like to have this annotation.
Another annotation to skip verification of backend certificate would interest me as well

jvanhent on 23 Oct 2018

👍4

All 26 comments

For the record, I think I got the flag wrong. according to this:
https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/

it should be:
proxy_ssl_trusted_certificate
and
proxy_ssl_verify on

kfox1111 on 9 Oct 2017

@kfox1111 Is this a ConfigMap (general) and should be responsability from the admin? Or this can be an annotation, and the user might specify which CAs its backend accepts?

rikatz on 19 Dec 2017

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 19 Mar 2018

/remove-lifecycle stale

kfox1111 on 19 Mar 2018

Annotation would be required as end users control annotations but not the nginx-ingress configmap.

kfox1111 on 19 Mar 2018

I don't see an updates on this and am running into this exact issue, where the entities that run the backend servers are separate from those that maintain the nginx ingress controllers and allowing them to provide their own .pem as an annotation in their ingress rules would be a perfect situation.

hsteckylf on 6 Jul 2018

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 4 Oct 2018

/remove-lifecycle stale

kfox1111 on 4 Oct 2018

Is this easier to implement now that the cert stuff is going through lua? or is it still done via nginx config?

kfox1111 on 4 Oct 2018

I would like to have this annotation.
Another annotation to skip verification of backend certificate would interest me as well

jvanhent on 23 Oct 2018

👍4

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 21 Jan 2019

/remove-lifecycle stale
Happy new year ;-)

seboudry on 22 Jan 2019

👍2

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 29 Apr 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 29 May 2019

If this is not going to be worked on, how can it be achieved within the ConfigMap?

/remove-lifecycle rotten

rafaelmagu on 11 Jun 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 9 Sep 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 9 Oct 2019

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 8 Nov 2019

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.