I have applications deployed in Kubernetes using the Nginx Ingress Controller. I need to implement path-based Client Certificate Validation where:
- 'app.example/auth' -> path should require client certificates
- 'app.example/tool' -> path should not require client certificates
Currently, I'm using this annotation to enable/disable Client Certificate Validation (Authentication): nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
What I understand is client cert auth is a global configuration and it can not be configured for specific path.
for referece, see first few lines of the doc:
.md#client-certificate-authentication
We also thought to use 2 ingress controller but both URLs have same domain so domain can only be resolved to any one Load Balancer IP of ingress controller service.
Please advise how can We enabled client cert validation on specific path? We are also flexible to switch to some other Ingress controller.
I have applications deployed in Kubernetes using the Nginx Ingress Controller. I need to implement path-based Client Certificate Validation where:
- 'app.example/auth' -> path should require client certificates
- 'app.example/tool' -> path should not require client certificates
Currently, I'm using this annotation to enable/disable Client Certificate Validation (Authentication): nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
What I understand is client cert auth is a global configuration and it can not be configured for specific path.
for referece, see first few lines of the doc:
https://github/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#client-certificate-authentication
We also thought to use 2 ingress controller but both URLs have same domain so domain can only be resolved to any one Load Balancer IP of ingress controller service.
Please advise how can We enabled client cert validation on specific path? We are also flexible to switch to some other Ingress controller.
Share Improve this question edited Jan 31 at 9:54 Karan Kumar asked Jan 31 at 9:53 Karan KumarKaran Kumar 112 bronze badges 2- You can't do it with nginx (see this thread). – Ivan Shatsky Commented Jan 31 at 12:45
- Please provide enough code so others can better understand or reproduce the problem. – PatPanda Commented Feb 1 at 11:43
1 Answer
Reset to default 1Simply use two separate ingress resources for two different paths:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: auth-ingress
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
spec:
ingressClassName: nginx
rules:
- host: app.example
http:
paths:
- path: /auth
pathType: Prefix
backend:
service:
name: auth-service
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: tool-ingress
spec:
ingressClassName: nginx
rules:
- host: app.example
http:
paths:
- path: /tool
pathType: Prefix
backend:
service:
name: tool-service
port:
number: 80
/auth path with have a block for cert validation and /tool path will bypass the validation.