github.com/nginxinc/kubernetes-ingress@v1.12.5/examples-of-custom-resources/ingress-mtls/README.md

github.com/nginxinc/kubernetes-ingress@v1.12.5/examples-of-custom-resources/ingress-mtls/README.md (about)

     1  # Ingress MTLS
     2  
     3  In this example, we deploy a web application, configure load balancing for it via a VirtualServer, and apply an Ingress MTLS policy.
     4  
     5  ## Prerequisites
     6  
     7  1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller.
     8  1. Save the public IP address of the Ingress Controller into a shell variable:
     9      ```
    10      $ IC_IP=XXX.YYY.ZZZ.III
    11      ```
    12  1. Save the HTTP port of the Ingress Controller into a shell variable:
    13      ```
    14      $ IC_HTTPS_PORT=<port number>
    15      ```
    16  
    17  ## Step 1 - Deploy a Web Application
    18  
    19  Create the application deployment and service:
    20  ```
    21  $ kubectl apply -f webapp.yaml
    22  ```
    23  
    24  ## Step 2 - Deploy the Ingress MLTS Secret
    25  
    26  Create a secret with the name `ingress-mtls-secret` that will be used for Ingress MTLS validation:
    27  ```
    28  $ kubectl apply -f ingress-mtls-secret.yaml
    29  ```
    30  
    31  ## Step 3 - Deploy the Ingress MTLS Policy
    32  
    33  Create a policy with the name `ingress-mtls-policy` that references the secret from the previous step:
    34  ```
    35  $ kubectl apply -f ingress-mtls.yaml
    36  ```
    37  
    38  ## Step 4 - Configure Load Balancing and TLS Termination
    39  1. Create the secret with the TLS certificate and key:
    40      ```
    41      $ kubectl create -f tls-secret.yaml
    42      ```
    43  
    44  2. Create a VirtualServer resource for the web application:
    45      ```
    46      $ kubectl apply -f virtual-server.yaml
    47      ```
    48  
    49  Note that the VirtualServer references the policy `ingress-mtls-policy` created in Step 3.
    50  
    51  ## Step 5 - Test the Configuration
    52  
    53  If you attempt to access the application without providing a valid Client certificate and key, NGINX will reject your requests for that VirtualServer:
    54  ```
    55  $ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP https://webapp.example.com:$IC_HTTPS_PORT/
    56  <html>
    57  <head><title>400 No required SSL certificate was sent</title></head>
    58  <body>
    59  <center><h1>400 Bad Request</h1></center>
    60  <center>No required SSL certificate was sent</center>
    61  <hr><center>nginx/1.19.1</center>
    62  </body>
    63  </html>
    64  ```
    65  
    66  If you provide a valid Client certificate and key, your request will succeed:
    67  ```
    68  $ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP https://webapp.example.com:$IC_HTTPS_PORT/ --cert ./client-cert.pem --key ./client-key.pem
    69  Server address: 10.244.0.8:8080
    70  Server name: webapp-7c6d448df9-9ts8x
    71  Date: 23/Sep/2020:07:18:52 +0000
    72  URI: /
    73  Request ID: acb0f48057ccdfd250debe5afe58252a
    74  ```