It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource. Before getting started you must have the following Certificates Setup:
- CA certificate and Key(Intermediate Certs need to be in CA)
- Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
- Client Certificate(Signed by CA) and Key
There are many different ways of configuring your secrets to enable Client-Certificate Authentication to work properly.
-
You can create a secret containing just the CA certificate and another Secret containing the Server Certificate which is Signed by the CA.
$ kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt $ kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
-
You can create a secret containing CA certificate along with the Server Certificate, that can be used for both TLS and Client Auth.
$ kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.
- Add the annotations as provided in the ingress.yaml example to your own ingress resources as required.
- Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400.
- Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200.