Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update nginx.org/ca secret type & crl field to IngressMTLS to support CRL #3632

Merged
merged 39 commits into from
Mar 21, 2023
Merged

Update nginx.org/ca secret type & crl field to IngressMTLS to support CRL #3632

merged 39 commits into from
Mar 21, 2023

Conversation

shaun-nx
Copy link
Contributor

@shaun-nx shaun-nx commented Mar 10, 2023
edited
Loading

Proposed changes

This change updates both the nginx.org/ca secret type and the ingressMTLS policy type to provide users a means to configure a Certificate Revocation List.

The CRL can be configured in one of two ways.

  1. Using a Base64 encoded CRL with the nginx.org/ca secret type using the ca.crl
kind: Secret
metadata:
  name: ingress-mtls-secret
apiVersion: v1
type: nginx.org/ca
data:
  ca.crt: <base64encoded-certificate>
  ca.crl: <base64encoded-crl>
  1. Using the crl field in the ingressMTLS policy spec providing the name of the CRL. This option assumes that the crl webapp.crl is provided by the users to /etc/nginx/secrets
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: ingress-mtls-policy
spec:
  ingressMTLS:
    clientCertSecret: ingress-mtls-secret
    crlFileName: webapp.crl
    verifyClient: "on"
    verifyDepth: 1

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

@codecov-commenter
Copy link

codecov-commenter commented Mar 10, 2023
edited by codecov bot
Loading

Codecov Report

Merging #3632 (75ce8d8) into main (04fe202) will increase coverage by 0.01%.
The diff coverage is 67.56%.

@@            Coverage Diff             @@
##             main    #3632      +/-   ##
==========================================
+ Coverage   52.31%   52.33%   +0.01%     
==========================================
  Files          59       59              
  Lines       16853    16880      +27     
==========================================
+ Hits         8817     8834      +17     
- Misses       7741     7749       +8     
- Partials      295      297       +2
Impacted Files Coverage Δ
internal/configs/configurator.go 38.47% <0.00%> (-0.21%) ⬇️
internal/configs/version2/http.go 0.00% <ø> (ø)
internal/configs/virtualserver.go 95.13% <100.00%> (+0.05%) ⬆️

... and 1 file with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@github-actions github-actions bot added the documentation Pull requests/issues for documentation label Mar 10, 2023
@shaun-nx shaun-nx marked this pull request as ready for review March 10, 2023 13:48
@shaun-nx shaun-nx requested a review from a team as a code owner March 10, 2023 13:48
@github-actions github-actions bot added the helm_chart Pull requests that update the Helm Chart label Mar 13, 2023
@shaun-nx shaun-nx changed the title Update nginx.org/ca secret type to support CRL Update nginx.org/ca secret type to support CRL & add crl field to IngressMTLS Mar 14, 2023
@github-actions github-actions bot added the tests Pull requests that update tests label Mar 14, 2023
@shaun-nx shaun-nx requested a review from lucacome March 16, 2023 17:52
@vepatel vepatel added this to the v3.1.0 milestone Mar 20, 2023
ciarams87
ciarams87 approved these changes Mar 20, 2023
View reviewed changes
Copy link
Contributor

@ciarams87 ciarams87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

ADubhlaoich
ADubhlaoich approved these changes Mar 21, 2023
View reviewed changes
Copy link
Contributor

@ADubhlaoich ADubhlaoich left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

docs/content/configuration/policy-resource.md Outdated Show resolved Hide resolved
docs/content/configuration/policy-resource.md Outdated Show resolved Hide resolved
docs/content/configuration/policy-resource.md Outdated Show resolved Hide resolved
@shaun-nx shaun-nx merged commit dbce83c into main Mar 21, 2023
@shaun-nx shaun-nx deleted the sslCrl branch March 21, 2023 11:56
@shaun-nx shaun-nx changed the title Update nginx.org/ca secret type to support CRL & add crl field to IngressMTLS Update nginx.org/ca secret type & crl field to IngressMTLS to support CRL Mar 23, 2023
@shaun-nx shaun-nx mentioned this pull request Apr 19, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vepatel vepatel vepatel approved these changes

@brianehlert brianehlert brianehlert left review comments

@tstraley tstraley tstraley approved these changes

@ciarams87 ciarams87 ciarams87 approved these changes

@ADubhlaoich ADubhlaoich ADubhlaoich approved these changes

@haywoodsh haywoodsh Awaiting requested review from haywoodsh

@jjngx jjngx Awaiting requested review from jjngx

@lucacome lucacome Awaiting requested review from lucacome

Assignees
No one assigned
Labels
documentation Pull requests/issues for documentation helm_chart Pull requests that update the Helm Chart tests Pull requests that update tests
Projects
None yet
Milestone
v3.1.0
Development

Successfully merging this pull request may close these issues.
8 participants
@shaun-nx @codecov-commenter @lucacome @brianehlert @ADubhlaoich @ciarams87 @tstraley @vepatel