Ingress-nginx: TLS Client-Side authentication
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):
Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG
NGINX Ingress controller version:
0.12.0
Kubernetes version (use kubectl version):
1.10
Environment:
- Cloud provider or hardware configuration: Azure
- OS (e.g. from /etc/os-release): Debian
- Kernel (e.g.
uname -a): - Install tools: acs-engine
- Others:
What happened:
even after I provide the tls certificate and annotations in ingress
kubernetes.io/ingress.class: "nginx"
ingress.kubernetes.io/auth-tls-secret: "default/caingress"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
ingress.kubernetes.io/force-ssl-redirect: "true"
the client-side auth is not working -it's allow access through browser
What you expected to happen:
When I do curl --insecure https://URL I should get:
400 Bad Request
How to reproduce it (as minimally and precisely as possible):
-
Anything else we need to know:
It's working on this version of nginx:
quay.io/aledbf/nginx-ingress-controller:0.89
Drupi
All 10 comments
@Drupi I think your issue is related to the annotations prefix. Make sure this are the annotations are
nginx.ingress.kubernetes.io/auth-tls-secret: "default/caingress"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
and you are using the latest version of the ingress controller.
aledbf
on 3 Apr 2018
Ok, I done it but still I'm able to reach the probe with curl --insecure.
Drupi
on 3 Apr 2018
So, currently is not working on official image, at least i'm not so strong in the force to configure it. I used the image from. Quay.io/aledbf and it is working perfect.
Drupi
on 4 Apr 2018
I am also affected by that issue. Yesterday, I was able to get it running with use of this image:
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.11.0
Do you know if a next release will have it fixed?
lszymik
on 5 Apr 2018
@Drupi @lszymik this is currently fixed in master https://github.com/kubernetes/ingress-nginx/pull/2270
Next release is scheduled for next week.
aledbf
on 5 Apr 2018
@aledbf Thank you very much. It is a really great news. Cheers
lszymik
on 5 Apr 2018
Hi, I know this had been closed for a while but I have the same issue running kubernetes on AWS with NGINX Ingress controller version: 0.21.0. Exec'ing into the controller pod shows all the configurations have been applied but I still don't get a 400 error when navigation to the host without a certificate
ChiZhangCZ
on 10 Jan 2019
@ChiZhangCZ Did you ever figure this out?
joeherm
on 22 Apr 2019
This is happening to me, as of the very latest nginx-ingress controller. I'm able to somehow bypass the cert check.
nimish
on 28 Nov 2019
Just an update on this, my issue was that my load balancer was not configured for TCP passthrough, meaning the certificate resolution was happening at the loadbalancer level, and not actually being handled by the ingress controller. Apologies for the late response.
ChiZhangCZ
on 6 Jan 2020
Related issues
bashofmann
路
3Comments
juliohm1978
路
3Comments
boazj
路
3Comments
cehoffman
路
3Comments
sophaskins
路
3Comments
Most helpful comment
Hi, I know this had been closed for a while but I have the same issue running kubernetes on AWS with NGINX Ingress controller version: 0.21.0. Exec'ing into the controller pod shows all the configurations have been applied but I still don't get a 400 error when navigation to the host without a certificate