From 1c5faa633353cd07e0a652ad323b3d47c6b99a19 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 10 Mar 2023 09:38:04 +0000 Subject: [PATCH 01/32] Update nginx.org/ca secret type to support CRL --- .../ingress-mtls/ingress-mtls-secret.yaml | 1 + internal/configs/configurator.go | 25 +++++++++++++------ internal/configs/version2/http.go | 1 + .../version2/nginx-plus.virtualserver.tmpl | 3 +++ .../configs/version2/nginx.virtualserver.tmpl | 3 +++ internal/configs/virtualserver.go | 25 +++++++++++++------ 6 files changed, 43 insertions(+), 15 deletions(-) diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index 418bb5e937..a3509fc7fd 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -5,3 +5,4 @@ apiVersion: v1 type: nginx.org/ca data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== +# ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUN0RENCblFJQkFUQU5CZ2txaGtpRzl3MEJBUVVGQURCYk1Rc3dDUVlEVlFRR0V3SkNSVEVSTUE4R0ExVUUKQ0F3SVFuSjFjM05sYkhNeEVUQVBCZ05WQkFjTUNFSnlkWE56Wld4ek1SWXdGQVlEVlFRS0RBMUVhV1JwWlhKVApkR1YyWlc1ek1RNHdEQVlEVlFRRERBVkVVeUJEUVJjTk1qSXhNakF5TVRFeE5UTTNXaGNOTWpReE1qQXhNVEV4Ck5UTTNXcUFPTUF3d0NnWURWUjBVQkFNQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdnSUJBSWlsOHZBRkdPQ0EKNnpHQlljY2hGRWhoeWY1NWE4S1drWGJBWldUOWJDMjRYY3lDS1hGNGFOV2NLRHkzU2RUeUphUU9mdDRzeExkbwpvaElCbHZKOG91UVpacDBxdG1pRkt6ajNlK2h6ejF1TlJBaU5JSHFNcWFRNjA2b3pSR0hDSS9yZGxCT2RXcjMxCjBTQXJwblI3TG9NNjN5OFRRYURTdE1nVmJwd09Qdm5GYU01aWNybTZkbjd1Z2FBM2k3SE5EYVFCOHVFSmRnQ3IKenIxWmcrQ2p5Y3pUdEtTSkZCaVhVNVNVRjZlY3lPazQ4NVh0NEd5c2VDNVpobm1kT01udEhFblo4b3pjRkVlbAphYWlUUFFwcFB4QkJBdGJ5VytNUUlrbXUxVzVIVFN1Q21QdVlzZFdaMC9sYWdtQUhUY0hEbHp0WkNzeWxuSGtDCmVwK0lMRTdFb08yOHpienRyYWloc1R3UThnVTVHNlFNVkM1VERWTnV4RldPV2pOZHVQMHVaY1cvUm43MG5jSlIKWUJLdDQxbHN5eFBpY0Z2NHNOZVFoRUVxV2t6R2w5VzZLMnZxQTErOUFDcTRNYzhLakFWOWplQlFjNUE1MHV1NwpGaHdkLzlEMkVOeEV4QjRiSEYrejdyeDFScGN4cks5M3l4Z0lhL2ZFWUNXdElJMFU1WmJGbUw3bFpsRHR0dzlpCm5zb3UxZE5MalVwbk9USytNd3hVVXluRkIvUVV1SURQNGo5QkFMM2QvZk5KdFFOei9seFZZdXFZL0dkdlY3K2sKM05VWXQvU1Y0N01XR0JvQmZTTVIzNEtPK3FISi8rdW41V3l3WUU0bVVSby9CTEpWVXIwMXk2V1BDUkR2emFqawpaQnYzVW9EYlQ3WWlPL2piejB5NTJhcVU4UWtBM2VkMgotLS0tLUVORCBYNTA5IENSTC0tLS0t diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index 2e5478e3b3..2c9c9d0ce4 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -59,8 +59,11 @@ const JWTKeyKey = "jwk" // HtpasswdFileKey is the key of the data field of a Secret where the HTTP basic authorization list must be stored const HtpasswdFileKey = "htpasswd" -// CAKey is the key of the data field of a Secret where the cert must be stored. -const CAKey = "ca.crt" +// CACrtKey is the key of the data field of a Secret where the cert must be stored. +const CACrtKey = "ca.crt" + +// CACrlKey is the key of the data field of a Secret where the cert revocation list much be stored. +const CACrlKey = "ca.crl" // ClientSecretKey is the key of the data field of a Secret where the OIDC client secret must be stored. const ClientSecretKey = "client-secret" @@ -727,8 +730,12 @@ func generateTLSPassthroughHostsConfig(tlsPassthroughPairs map[string]tlsPassthr func (cnf *Configurator) addOrUpdateCASecret(secret *api_v1.Secret) string { name := objectMetaToFileName(&secret.ObjectMeta) - data := GenerateCAFileContent(secret) - return cnf.nginxManager.CreateSecret(name, data, nginx.TLSSecretFileMode) + crtData, crlData := GenerateCAFileContent(secret) + crtSecretName := name + CACrtKey + crlSecretName := name + CACrlKey + crtFileName := cnf.nginxManager.CreateSecret(crtSecretName, crtData, nginx.TLSSecretFileMode) + crlFileName := cnf.nginxManager.CreateSecret(crlSecretName, crlData, nginx.TLSSecretFileMode) + return fmt.Sprintf("%s %s", crtFileName, crlFileName) } func (cnf *Configurator) addOrUpdateJWKSecret(secret *api_v1.Secret) string { @@ -818,12 +825,14 @@ func GenerateCertAndKeyFileContent(secret *api_v1.Secret) []byte { } // GenerateCAFileContent generates a pem file content from the TLS secret. -func GenerateCAFileContent(secret *api_v1.Secret) []byte { - var res bytes.Buffer +func GenerateCAFileContent(secret *api_v1.Secret) ([]byte, []byte) { + var caKey bytes.Buffer + var caCrl bytes.Buffer - res.Write(secret.Data[CAKey]) + caKey.Write(secret.Data[CACrtKey]) + caCrl.Write(secret.Data[CACrlKey]) - return res.Bytes() + return caKey.Bytes(), caCrl.Bytes() } // DeleteIngress deletes NGINX configuration for the Ingress resource. diff --git a/internal/configs/version2/http.go b/internal/configs/version2/http.go index 0f068dac4e..6bc408a85d 100644 --- a/internal/configs/version2/http.go +++ b/internal/configs/version2/http.go @@ -91,6 +91,7 @@ type SSL struct { // IngressMTLS defines TLS configuration for a server. This is a subset of TLS specifically for clients auth. type IngressMTLS struct { ClientCert string + ClientCrl string VerifyClient string VerifyDepth int } diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl index 931be65283..b708702d86 100644 --- a/internal/configs/version2/nginx-plus.virtualserver.tmpl +++ b/internal/configs/version2/nginx-plus.virtualserver.tmpl @@ -115,6 +115,9 @@ server { {{ with $s.IngressMTLS }} ssl_client_certificate {{ .ClientCert }}; + {{ if .ClientCrl }} + ssl_crl {{ .ClientCrl }}; + {{ end }} ssl_verify_client {{ .VerifyClient }}; ssl_verify_depth {{ .VerifyDepth }}; {{ end }} diff --git a/internal/configs/version2/nginx.virtualserver.tmpl b/internal/configs/version2/nginx.virtualserver.tmpl index d3de0d7022..2f2d604cb7 100644 --- a/internal/configs/version2/nginx.virtualserver.tmpl +++ b/internal/configs/version2/nginx.virtualserver.tmpl @@ -70,6 +70,9 @@ server { {{ with $s.IngressMTLS }} ssl_client_certificate {{ .ClientCert }}; + {{ if .ClientCrl }} + ssl_crl {{ .ClientCrl }}; + {{ end }} ssl_verify_client {{ .VerifyClient }}; ssl_verify_depth {{ .VerifyDepth }}; {{ end }} diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 0a245dca8a..434402ff6d 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -7,15 +7,14 @@ import ( "strings" "github.com/golang/glog" + "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" "github.com/nginxinc/kubernetes-ingress/internal/k8s/secrets" "github.com/nginxinc/kubernetes-ingress/internal/nginx" + conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" api_v1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" - - "github.com/nginxinc/kubernetes-ingress/internal/configs/version2" - conf_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1" ) const ( @@ -908,11 +907,23 @@ func (p *policiesCfg) addIngressMTLSConfig( verifyClient = ingressMTLS.VerifyClient } - p.IngressMTLS = &version2.IngressMTLS{ - ClientCert: secretRef.Path, - VerifyClient: verifyClient, - VerifyDepth: verifyDepth, + caFiles := strings.Fields(secretRef.Path) + + if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey { + p.IngressMTLS = &version2.IngressMTLS{ + ClientCert: caFiles[0], + ClientCrl: caFiles[1], + VerifyClient: verifyClient, + VerifyDepth: verifyDepth, + } + } else { + p.IngressMTLS = &version2.IngressMTLS{ + ClientCert: caFiles[0], + VerifyClient: verifyClient, + VerifyDepth: verifyDepth, + } } + return res } From 61dc4a4f8c5eced1ad296d0d7ad1f6971209ed04 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 10 Mar 2023 10:38:51 +0000 Subject: [PATCH 02/32] Add unit tests --- internal/configs/virtualserver.go | 9 ++--- internal/configs/virtualserver_test.go | 55 +++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 10 deletions(-) diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 434402ff6d..9921c08ba8 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -907,23 +907,22 @@ func (p *policiesCfg) addIngressMTLSConfig( verifyClient = ingressMTLS.VerifyClient } - caFiles := strings.Fields(secretRef.Path) + caFields := strings.Fields(secretRef.Path) if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey { p.IngressMTLS = &version2.IngressMTLS{ - ClientCert: caFiles[0], - ClientCrl: caFiles[1], + ClientCert: caFields[0], + ClientCrl: caFields[1], VerifyClient: verifyClient, VerifyDepth: verifyDepth, } } else { p.IngressMTLS = &version2.IngressMTLS{ - ClientCert: caFiles[0], + ClientCert: caFields[0], VerifyClient: verifyClient, VerifyDepth: verifyDepth, } } - return res } diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 56b291d119..d76883a627 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2691,7 +2691,9 @@ func TestGeneratePolicies(t *testing.T) { vsNamespace: "default", vsName: "test", } - ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret" + ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secretca.crt" + ingressMTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secretca.crl" + ingressMTLSCertAndCrlPath := fmt.Sprintf("%s %s", ingressMTLSCertPath, ingressMTLSCrlPath) policyOpts := policyOptions{ tls: true, secretRefs: map[string]*secrets.SecretReference{ @@ -2701,6 +2703,15 @@ func TestGeneratePolicies(t *testing.T) { }, Path: ingressMTLSCertPath, }, + "default/ingress-mtls-secret-crl": { + Secret: &api_v1.Secret{ + Type: secrets.SecretTypeCA, + Data: map[string][]byte{ + "ca.crl": []byte("base64crl"), + }, + }, + Path: ingressMTLSCertAndCrlPath, + }, "default/egress-mtls-secret": { Secret: &api_v1.Secret{ Type: api_v1.SecretTypeTLS, @@ -3085,6 +3096,38 @@ func TestGeneratePolicies(t *testing.T) { }, msg: "ingressMTLS reference", }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/ingress-mtls-policy-crl": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + IngressMTLS: &conf_v1.IngressMTLS{ + ClientCertSecret: "ingress-mtls-secret-crl", + VerifyClient: "off", + }, + }, + }, + }, + context: "spec", + expected: policiesCfg{ + IngressMTLS: &version2.IngressMTLS{ + ClientCert: ingressMTLSCertPath, + ClientCrl: ingressMTLSCrlPath, + VerifyClient: "off", + VerifyDepth: 1, + }, + }, + msg: "ingressMTLS reference", + }, { policyRefs: []conf_v1.PolicyReference{ { @@ -3262,6 +3305,8 @@ func TestGeneratePoliciesFails(t *testing.T) { dryRunOverride := true rejectCodeOverride := 505 + ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secretca.crt" + tests := []struct { policyRefs []conf_v1.PolicyReference policies map[string]*conf_v1.Policy @@ -3839,14 +3884,14 @@ func TestGeneratePoliciesFails(t *testing.T) { Secret: &api_v1.Secret{ Type: secrets.SecretTypeCA, }, - Path: "/etc/nginx/secrets/default-ingress-mtls-secret", + Path: ingressMTLSCertPath, }, }, }, context: "spec", expected: policiesCfg{ IngressMTLS: &version2.IngressMTLS{ - ClientCert: "/etc/nginx/secrets/default-ingress-mtls-secret", + ClientCert: ingressMTLSCertPath, VerifyClient: "on", VerifyDepth: 1, }, @@ -3886,7 +3931,7 @@ func TestGeneratePoliciesFails(t *testing.T) { Secret: &api_v1.Secret{ Type: secrets.SecretTypeCA, }, - Path: "/etc/nginx/secrets/default-ingress-mtls-secret", + Path: ingressMTLSCertPath, }, }, }, @@ -3931,7 +3976,7 @@ func TestGeneratePoliciesFails(t *testing.T) { Secret: &api_v1.Secret{ Type: secrets.SecretTypeCA, }, - Path: "/etc/nginx/secrets/default-ingress-mtls-secret", + Path: ingressMTLSCertPath, }, }, }, From 0209575e7a727ab18b1add64be285b45efcc40e6 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 10 Mar 2023 10:39:33 +0000 Subject: [PATCH 03/32] Update test message --- internal/configs/virtualserver_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index d76883a627..448b9f3a9d 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -3126,7 +3126,7 @@ func TestGeneratePolicies(t *testing.T) { VerifyDepth: 1, }, }, - msg: "ingressMTLS reference", + msg: "ingressMTLS reference with ca.crl", }, { policyRefs: []conf_v1.PolicyReference{ From 408bd2bd989514668efe256e950fc8324de0736f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 10 Mar 2023 10:51:00 +0000 Subject: [PATCH 04/32] Update crt and crl file names --- internal/configs/configurator.go | 4 ++-- internal/configs/virtualserver_test.go | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index 2c9c9d0ce4..2b5f670dc9 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -731,8 +731,8 @@ func generateTLSPassthroughHostsConfig(tlsPassthroughPairs map[string]tlsPassthr func (cnf *Configurator) addOrUpdateCASecret(secret *api_v1.Secret) string { name := objectMetaToFileName(&secret.ObjectMeta) crtData, crlData := GenerateCAFileContent(secret) - crtSecretName := name + CACrtKey - crlSecretName := name + CACrlKey + crtSecretName := fmt.Sprintf("%s-%s", name, CACrtKey) + crlSecretName := fmt.Sprintf("%s-%s", name, CACrlKey) crtFileName := cnf.nginxManager.CreateSecret(crtSecretName, crtData, nginx.TLSSecretFileMode) crlFileName := cnf.nginxManager.CreateSecret(crlSecretName, crlData, nginx.TLSSecretFileMode) return fmt.Sprintf("%s %s", crtFileName, crlFileName) diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 448b9f3a9d..1a4f20a19d 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -2691,8 +2691,8 @@ func TestGeneratePolicies(t *testing.T) { vsNamespace: "default", vsName: "test", } - ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secretca.crt" - ingressMTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secretca.crl" + ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt" + ingressMTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl" ingressMTLSCertAndCrlPath := fmt.Sprintf("%s %s", ingressMTLSCertPath, ingressMTLSCrlPath) policyOpts := policyOptions{ tls: true, @@ -3305,7 +3305,7 @@ func TestGeneratePoliciesFails(t *testing.T) { dryRunOverride := true rejectCodeOverride := 505 - ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secretca.crt" + ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt" tests := []struct { policyRefs []conf_v1.PolicyReference From 1d90091d410a2af4338a6c695c23a2e1bde2d05e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 10 Mar 2023 11:40:21 +0000 Subject: [PATCH 05/32] Update documentation --- docs/content/configuration/policy-resource.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 077726cd2c..e5129b3552 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -262,6 +262,19 @@ ingressMTLS: verifyDepth: 1 ``` +Below is an example of the `ingress-mtls-secret` using the secret type `nginx.org/ca` +```yaml +kind: Secret +metadata: + name: ingress-mtls-secret +apiVersion: v1 +type: nginx.org/ca +data: + ca.crt: +``` + +You can optionally add the `ca.crl` field to the `nginx.org/ca` secret type, which accepts a base64 encoded certificate revocation list (crl) + A VirtualServer that references an IngressMTLS policy must: * Enable [TLS termination](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualservertls). * Reference the policy in the VirtualServer [`spec`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserver-specification). It is not allowed to reference an IngressMTLS policy in a [`route `](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroute) or in a VirtualServerRoute [`subroute`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroutesubroute). From c0404283a45b7995abb50ed45643db7b02e56e0a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Fri, 10 Mar 2023 16:26:19 +0000 Subject: [PATCH 06/32] Allow crl file to be set in ingressMTLs polciy spec --- deployments/common/crds/k8s.nginx.org_policies.yaml | 4 ++++ deployments/deployment/nginx-plus-ingress.yaml | 8 ++++++++ .../ingress-mtls/ingress-mtls-secret.yaml | 1 + .../custom-resources/ingress-mtls/ingress-mtls.yaml | 1 + internal/configs/virtualserver.go | 13 +++++++++++++ pkg/apis/configuration/v1/types.go | 1 + 6 files changed, 28 insertions(+) diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml index 20fe9187b9..0b0d33b37b 100644 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ b/deployments/common/crds/k8s.nginx.org_policies.yaml @@ -92,6 +92,8 @@ spec: properties: clientCertSecret: type: string + crl: + type: string verifyClient: type: string verifyDepth: @@ -260,6 +262,8 @@ spec: properties: clientCertSecret: type: string + crl: + type: string verifyClient: type: string verifyDepth: diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 3151d1ff8e..bf235eab72 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -24,6 +24,11 @@ spec: sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" + volumes: + - name: crl-volume + hostPath: + path: /data/crl #local directory that contains the CRL + type: Directory containers: - image: nginx-plus-ingress:3.0.2 imagePullPolicy: IfNotPresent @@ -58,6 +63,9 @@ spec: capabilities: drop: - ALL + volumeMounts: + - mountPath: /etc/nginx/secrets + name: crl-volume env: - name: POD_NAMESPACE valueFrom: diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index a3509fc7fd..84130afc56 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -5,4 +5,5 @@ apiVersion: v1 type: nginx.org/ca data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== +# ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGakNDQWY0Q0NRQ0NEcTljUnljbTJqQU5CZ2txaGtpRzl3MEJBUXNGQURCTk1Rc3dDUVlEVlFRR0V3SkoKUlRFTk1Bc0dBMVVFQ0F3RVEwOVNTekVTTUJBR0ExVUVCd3dKUW14aFkydHliMk5yTVFzd0NRWURWUVFLREFKRwpOVEVPTUF3R0ExVUVBd3dGVGtkSlRsZ3dIaGNOTWpNd016RXdNVEUxTnpVMVdoY05Namd3TXpBNE1URTFOelUxCldqQk5NUXN3Q1FZRFZRUUdFd0pKUlRFTk1Bc0dBMVVFQ0F3RVEwOVNTekVTTUJBR0ExVUVCd3dKUW14aFkydHkKYjJOck1Rc3dDUVlEVlFRS0RBSkdOVEVPTUF3R0ExVUVBd3dGVGtkSlRsZ3dnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzYycTJSZ296N0h2Q0ViNDlwa3pzZzdxVHEzeTVVSDl4WFloY0ROYjhsCnVHcnZSREdxR0IxdEtEdU44K29MZUt5cEM3cGRKS3p0ZW54VXlacGl1VHB6OTVLUXMvT2xEd3BYUWJPeUhTZ0MKMCs0RXJpV1dpOGpoZkJyRzBSaHA1QzI2Z3VBMlA5ZTJqL1RlLzZCU0wrZ0NqVXVLb01hNStGYkFmeHh4UTY0Wgo1STBQdFhqd1dZYnFqVVhXaW5BRGFlM0puMUhsRlVvUFdPRll5UzFyRGpXTzVVb3VIZFdCV08zemRnbnZldjJXCng2NEVEWEg0Z3ZRZzkzWXpodkxpL2ZYZk80V3NwL1dUSmR4U0tpbHNPNngreTFvS0ROU3hHN1ZOeTU0cGJuMkEKM3g3amRzY1RwK016ZXRhbmczUGh3WGp0R1o0QTdyOHpSOVVuOG9kODA3RWxBZ01CQUFFd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBS250eURUcHdpSEFFMFlRODVIb0I3bTREN2NJS1hnMzhOdVJ4TE1tNFVkZlkxU1B4VkVvCjU1Z0tnaDZqTitkSEZxekRpTVhyZ0tsaG94bi9mQ2krcExFbUc0dnhMTXpSNmtsMTBtbEZ1VXlXSmY1RU5qUzAKeFNhVDM3ZFVkY3dGQXR6UTh6S1g0Ui92UGhJUlBnYjA4ZktaVFpselhQdm9rNTJUOXFqMXFpUUZuaGV3TTc0TgpiQzAvVkE1QkMwNWwvZ2MrMHA1a1JzTE5UR0ZRNXhlRHlXdGsvMzhnTnIrZURYa2NZMUxHNTlqcUN1Yzc5Vk9VCkVrbFEwNW5NL2ZEd1ZldXpQbDdwcmVsN0dmWUJvL0xtR2ZMWlR6REtYcFRUNnNRK2NFeUpTQ3NWS3dDVjlZd0YKVC8xRE5YRlZTRml4WWRLM0lmc3JuazY0eXVoTEZlRW14MDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= # ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUN0RENCblFJQkFUQU5CZ2txaGtpRzl3MEJBUVVGQURCYk1Rc3dDUVlEVlFRR0V3SkNSVEVSTUE4R0ExVUUKQ0F3SVFuSjFjM05sYkhNeEVUQVBCZ05WQkFjTUNFSnlkWE56Wld4ek1SWXdGQVlEVlFRS0RBMUVhV1JwWlhKVApkR1YyWlc1ek1RNHdEQVlEVlFRRERBVkVVeUJEUVJjTk1qSXhNakF5TVRFeE5UTTNXaGNOTWpReE1qQXhNVEV4Ck5UTTNXcUFPTUF3d0NnWURWUjBVQkFNQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdnSUJBSWlsOHZBRkdPQ0EKNnpHQlljY2hGRWhoeWY1NWE4S1drWGJBWldUOWJDMjRYY3lDS1hGNGFOV2NLRHkzU2RUeUphUU9mdDRzeExkbwpvaElCbHZKOG91UVpacDBxdG1pRkt6ajNlK2h6ejF1TlJBaU5JSHFNcWFRNjA2b3pSR0hDSS9yZGxCT2RXcjMxCjBTQXJwblI3TG9NNjN5OFRRYURTdE1nVmJwd09Qdm5GYU01aWNybTZkbjd1Z2FBM2k3SE5EYVFCOHVFSmRnQ3IKenIxWmcrQ2p5Y3pUdEtTSkZCaVhVNVNVRjZlY3lPazQ4NVh0NEd5c2VDNVpobm1kT01udEhFblo4b3pjRkVlbAphYWlUUFFwcFB4QkJBdGJ5VytNUUlrbXUxVzVIVFN1Q21QdVlzZFdaMC9sYWdtQUhUY0hEbHp0WkNzeWxuSGtDCmVwK0lMRTdFb08yOHpienRyYWloc1R3UThnVTVHNlFNVkM1VERWTnV4RldPV2pOZHVQMHVaY1cvUm43MG5jSlIKWUJLdDQxbHN5eFBpY0Z2NHNOZVFoRUVxV2t6R2w5VzZLMnZxQTErOUFDcTRNYzhLakFWOWplQlFjNUE1MHV1NwpGaHdkLzlEMkVOeEV4QjRiSEYrejdyeDFScGN4cks5M3l4Z0lhL2ZFWUNXdElJMFU1WmJGbUw3bFpsRHR0dzlpCm5zb3UxZE5MalVwbk9USytNd3hVVXluRkIvUVV1SURQNGo5QkFMM2QvZk5KdFFOei9seFZZdXFZL0dkdlY3K2sKM05VWXQvU1Y0N01XR0JvQmZTTVIzNEtPK3FISi8rdW41V3l3WUU0bVVSby9CTEpWVXIwMXk2V1BDUkR2emFqawpaQnYzVW9EYlQ3WWlPL2piejB5NTJhcVU4UWtBM2VkMgotLS0tLUVORCBYNTA5IENSTC0tLS0t diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls.yaml index af796bab1a..3ee9e2b3ee 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls.yaml @@ -5,5 +5,6 @@ metadata: spec: ingressMTLS: clientCertSecret: ingress-mtls-secret + crl: webapp.crl verifyClient: "on" verifyDepth: 1 diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 9921c08ba8..b22cbe5e35 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -909,6 +909,12 @@ func (p *policiesCfg) addIngressMTLSConfig( caFields := strings.Fields(secretRef.Path) + if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey && ingressMTLS.Crl != "" { + res.addWarningf("Both ca.crl and ingressMTLS.Crl fields cannot be used") + res.isError = true + return res + } + if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey { p.IngressMTLS = &version2.IngressMTLS{ ClientCert: caFields[0], @@ -916,6 +922,13 @@ func (p *policiesCfg) addIngressMTLSConfig( VerifyClient: verifyClient, VerifyDepth: verifyDepth, } + } else if ingressMTLS.Crl != "" { + p.IngressMTLS = &version2.IngressMTLS{ + ClientCert: caFields[0], + ClientCrl: fmt.Sprintf("%s/%s", DefaultSecretPath, ingressMTLS.Crl), + VerifyClient: verifyClient, + VerifyDepth: verifyDepth, + } } else { p.IngressMTLS = &version2.IngressMTLS{ ClientCert: caFields[0], diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index fa75b33cfa..85bce42199 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -456,6 +456,7 @@ type BasicAuth struct { // IngressMTLS defines an Ingress MTLS policy. type IngressMTLS struct { ClientCertSecret string `json:"clientCertSecret"` + Crl string `json:"crl"` VerifyClient string `json:"verifyClient"` VerifyDepth *int `json:"verifyDepth"` } From d4b5c459a3bdbbc9770c5b9ac27244659b2ee4b8 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 13 Mar 2023 13:49:14 +0000 Subject: [PATCH 07/32] Add additional unit tests --- .../ingress-mtls/ingress-mtls-secret.yaml | 2 +- internal/configs/virtualserver_test.go | 84 ++++++++++++++++++- 2 files changed, 84 insertions(+), 2 deletions(-) diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index 84130afc56..ef063358b4 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -5,5 +5,5 @@ apiVersion: v1 type: nginx.org/ca data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -# ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGakNDQWY0Q0NRQ0NEcTljUnljbTJqQU5CZ2txaGtpRzl3MEJBUXNGQURCTk1Rc3dDUVlEVlFRR0V3SkoKUlRFTk1Bc0dBMVVFQ0F3RVEwOVNTekVTTUJBR0ExVUVCd3dKUW14aFkydHliMk5yTVFzd0NRWURWUVFLREFKRwpOVEVPTUF3R0ExVUVBd3dGVGtkSlRsZ3dIaGNOTWpNd016RXdNVEUxTnpVMVdoY05Namd3TXpBNE1URTFOelUxCldqQk5NUXN3Q1FZRFZRUUdFd0pKUlRFTk1Bc0dBMVVFQ0F3RVEwOVNTekVTTUJBR0ExVUVCd3dKUW14aFkydHkKYjJOck1Rc3dDUVlEVlFRS0RBSkdOVEVPTUF3R0ExVUVBd3dGVGtkSlRsZ3dnZ0VpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzYycTJSZ296N0h2Q0ViNDlwa3pzZzdxVHEzeTVVSDl4WFloY0ROYjhsCnVHcnZSREdxR0IxdEtEdU44K29MZUt5cEM3cGRKS3p0ZW54VXlacGl1VHB6OTVLUXMvT2xEd3BYUWJPeUhTZ0MKMCs0RXJpV1dpOGpoZkJyRzBSaHA1QzI2Z3VBMlA5ZTJqL1RlLzZCU0wrZ0NqVXVLb01hNStGYkFmeHh4UTY0Wgo1STBQdFhqd1dZYnFqVVhXaW5BRGFlM0puMUhsRlVvUFdPRll5UzFyRGpXTzVVb3VIZFdCV08zemRnbnZldjJXCng2NEVEWEg0Z3ZRZzkzWXpodkxpL2ZYZk80V3NwL1dUSmR4U0tpbHNPNngreTFvS0ROU3hHN1ZOeTU0cGJuMkEKM3g3amRzY1RwK016ZXRhbmczUGh3WGp0R1o0QTdyOHpSOVVuOG9kODA3RWxBZ01CQUFFd0RRWUpLb1pJaHZjTgpBUUVMQlFBRGdnRUJBS250eURUcHdpSEFFMFlRODVIb0I3bTREN2NJS1hnMzhOdVJ4TE1tNFVkZlkxU1B4VkVvCjU1Z0tnaDZqTitkSEZxekRpTVhyZ0tsaG94bi9mQ2krcExFbUc0dnhMTXpSNmtsMTBtbEZ1VXlXSmY1RU5qUzAKeFNhVDM3ZFVkY3dGQXR6UTh6S1g0Ui92UGhJUlBnYjA4ZktaVFpselhQdm9rNTJUOXFqMXFpUUZuaGV3TTc0TgpiQzAvVkE1QkMwNWwvZ2MrMHA1a1JzTE5UR0ZRNXhlRHlXdGsvMzhnTnIrZURYa2NZMUxHNTlqcUN1Yzc5Vk9VCkVrbFEwNW5NL2ZEd1ZldXpQbDdwcmVsN0dmWUJvL0xtR2ZMWlR6REtYcFRUNnNRK2NFeUpTQ3NWS3dDVjlZd0YKVC8xRE5YRlZTRml4WWRLM0lmc3JuazY0eXVoTEZlRW14MDg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= +# ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNakNDQWhvQ0NRQ1labU1VQ3Z4Q2FEQU5CZ2txaGtpRzl3MEJBUVVGQURCYk1Rc3dDUVlEVlFRR0V3SkoKUlRFUU1BNEdBMVVFQ0F3SFNYSmxiR0Z1WkRFTk1Bc0dBMVVFQnd3RVEyOXlhekVMTUFrR0ExVUVDZ3dDUmpVeApEakFNQmdOVkJBc01CVTVIU1U1WU1RNHdEQVlEVlFRRERBVk9SMGxPV0RBZUZ3MHlNekF6TVRNeE1qRXhORFphCkZ3MHlOREF6TVRJeE1qRXhORFphTUZzeEN6QUpCZ05WQkFZVEFrbEZNUkF3RGdZRFZRUUlEQWRKY21Wc1lXNWsKTVEwd0N3WURWUVFIREFSRGIzSnJNUXN3Q1FZRFZRUUtEQUpHTlRFT01Bd0dBMVVFQ3d3RlRrZEpUbGd4RGpBTQpCZ05WQkFNTUJVNUhTVTVZTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1Ujd4CjVGVnowTE1xdmxFNjR4UTUrc3RmMnV4V1gzVkhzZkJhVGZxTDNoQlZvajRQZWZhbnlib1JoTFMwWHRnUXI4Uy8KT1BZTUJOMlRiY2F5Mk4rMnhNNndESFVUcTEwdmNLVG5iUW03WmowbUo1QThVcmpQMGE1eE8rK1hxR0NPSkdKdwpmUmtzeUlkU1E2WTZBdkRZVjhjYUxHbjN6dXBLUjRoZ3BoS1R3SWQ0U2M2clA2aFB6OVNFaWtLSDN6TytTYUNaCkJoWUgzdFhPVkk0eDlGSlhBanJvaURjY0VMMzlrK1Z2bnNiYysrOG15bjBGQm9vWEswRmsxMXBHbUFUcWZxd0kKbWNvdUJXNURvcVlyUmZ1V2tzeGlUM1g5eEMrT2g5dTlJMnpWSkZ2L053RWRXWmdPSmhwYlM2OUhhbGpmbGNrTAp4NG5IdFY2dzRJanhnSGJISVFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUJUaWFJdFhHMWpJcTZNCktQZEMzUFN0RzVLYm82V1krTzRmNjl2UkhabE85WFQ2YUtpYmVjSDhONHk0eWJveTNkRERzSDlubzRJUHNsWlAKWXk3NmpsbElIbkxZZzVlU3d2MDEyb3dtRUNTY2d2MGVKb1U2YUdZdTRxVlg1ZUpvK005YjJQWEo3NklIck5WRgpaV2lzaGNQcDdjNDdVZ2hvZUxRRDh6TWdnbmwzTjVSTTVvZGtNbTRjZkVmTmo0bWpJZUlMNzBVUFNBTDkzZzBSCjZqZXdscnkrcnQ5VDl0ejdNdi9Hcys2THphaEVTNVpWWkRKcG1VTFRRR3JJUlBzUDVKbGo4N1QwRU9nd0kvRnQKTExrc3FUL3E5dUh2M2xQMUdoSjM3dTBsNFRCT3ovaUIyRTVKR3oxdmRXNFZXakNibGM4bDV5NU5KeWY2OGxJNQpIY0g3ZWFlKwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t # ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUN0RENCblFJQkFUQU5CZ2txaGtpRzl3MEJBUVVGQURCYk1Rc3dDUVlEVlFRR0V3SkNSVEVSTUE4R0ExVUUKQ0F3SVFuSjFjM05sYkhNeEVUQVBCZ05WQkFjTUNFSnlkWE56Wld4ek1SWXdGQVlEVlFRS0RBMUVhV1JwWlhKVApkR1YyWlc1ek1RNHdEQVlEVlFRRERBVkVVeUJEUVJjTk1qSXhNakF5TVRFeE5UTTNXaGNOTWpReE1qQXhNVEV4Ck5UTTNXcUFPTUF3d0NnWURWUjBVQkFNQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdnSUJBSWlsOHZBRkdPQ0EKNnpHQlljY2hGRWhoeWY1NWE4S1drWGJBWldUOWJDMjRYY3lDS1hGNGFOV2NLRHkzU2RUeUphUU9mdDRzeExkbwpvaElCbHZKOG91UVpacDBxdG1pRkt6ajNlK2h6ejF1TlJBaU5JSHFNcWFRNjA2b3pSR0hDSS9yZGxCT2RXcjMxCjBTQXJwblI3TG9NNjN5OFRRYURTdE1nVmJwd09Qdm5GYU01aWNybTZkbjd1Z2FBM2k3SE5EYVFCOHVFSmRnQ3IKenIxWmcrQ2p5Y3pUdEtTSkZCaVhVNVNVRjZlY3lPazQ4NVh0NEd5c2VDNVpobm1kT01udEhFblo4b3pjRkVlbAphYWlUUFFwcFB4QkJBdGJ5VytNUUlrbXUxVzVIVFN1Q21QdVlzZFdaMC9sYWdtQUhUY0hEbHp0WkNzeWxuSGtDCmVwK0lMRTdFb08yOHpienRyYWloc1R3UThnVTVHNlFNVkM1VERWTnV4RldPV2pOZHVQMHVaY1cvUm43MG5jSlIKWUJLdDQxbHN5eFBpY0Z2NHNOZVFoRUVxV2t6R2w5VzZLMnZxQTErOUFDcTRNYzhLakFWOWplQlFjNUE1MHV1NwpGaHdkLzlEMkVOeEV4QjRiSEYrejdyeDFScGN4cks5M3l4Z0lhL2ZFWUNXdElJMFU1WmJGbUw3bFpsRHR0dzlpCm5zb3UxZE5MalVwbk9USytNd3hVVXluRkIvUVV1SURQNGo5QkFMM2QvZk5KdFFOei9seFZZdXFZL0dkdlY3K2sKM05VWXQvU1Y0N01XR0JvQmZTTVIzNEtPK3FISi8rdW41V3l3WUU0bVVSby9CTEpWVXIwMXk2V1BDUkR2emFqawpaQnYzVW9EYlQ3WWlPL2piejB5NTJhcVU4UWtBM2VkMgotLS0tLUVORCBYNTA5IENSTC0tLS0t diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 1a4f20a19d..8b235e0205 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -3126,7 +3126,40 @@ func TestGeneratePolicies(t *testing.T) { VerifyDepth: 1, }, }, - msg: "ingressMTLS reference with ca.crl", + msg: "ingressMTLS reference with ca.crl field in secret", + }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/ingress-mtls-policy-crl": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "ingress-mtls-policy-crl", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + IngressMTLS: &conf_v1.IngressMTLS{ + ClientCertSecret: "ingress-mtls-secret", + Crl: "default-ingress-mtls-secret-ca.crl", + VerifyClient: "off", + }, + }, + }, + }, + context: "spec", + expected: policiesCfg{ + IngressMTLS: &version2.IngressMTLS{ + ClientCert: ingressMTLSCertPath, + ClientCrl: ingressMTLSCrlPath, + VerifyClient: "off", + VerifyDepth: 1, + }, + }, + msg: "ingressMTLS reference with crl field in policy", }, { policyRefs: []conf_v1.PolicyReference{ @@ -3994,6 +4027,55 @@ func TestGeneratePoliciesFails(t *testing.T) { expectedOidc: &oidcPolicyCfg{}, msg: "ingress mtls missing TLS config", }, + { + policyRefs: []conf_v1.PolicyReference{ + { + Name: "ingress-mtls-policy", + Namespace: "default", + }, + }, + policies: map[string]*conf_v1.Policy{ + "default/ingress-mtls-policy": { + ObjectMeta: meta_v1.ObjectMeta{ + Name: "ingress-mtls-policy", + Namespace: "default", + }, + Spec: conf_v1.PolicySpec{ + IngressMTLS: &conf_v1.IngressMTLS{ + ClientCertSecret: "ingress-mtls-secret", + Crl: "default-ingress-mtls-secret-ca.crl", + }, + }, + }, + }, + policyOpts: policyOptions{ + tls: true, + secretRefs: map[string]*secrets.SecretReference{ + "default/ingress-mtls-secret": { + Secret: &api_v1.Secret{ + Type: secrets.SecretTypeCA, + Data: map[string][]byte{ + "ca.crl": []byte("base64crl"), + }, + }, + Path: ingressMTLSCertPath, + }, + }, + }, + context: "spec", + expected: policiesCfg{ + ErrorReturn: &version2.Return{ + Code: 500, + }, + }, + expectedWarnings: Warnings{ + nil: { + `Both ca.crl and ingressMTLS.Crl fields cannot be used`, + }, + }, + expectedOidc: &oidcPolicyCfg{}, + msg: "ingress mtls ca.crl and ingressMTLS.Crl set", + }, { policyRefs: []conf_v1.PolicyReference{ { From 419af92d05b102c55507a0c9d7bba0ac7f8e56ee Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 13 Mar 2023 14:10:14 +0000 Subject: [PATCH 08/32] Update documentation --- docs/content/configuration/policy-resource.md | 35 ++++++++++++++++++- .../custom-resources/ingress-mtls/README.md | 3 ++ .../ingress-mtls/ingress-mtls-secret.yaml | 1 - 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index e5129b3552..db2ff6aad8 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -272,8 +272,41 @@ type: nginx.org/ca data: ca.crt: ``` +#### Using a Certificate Revocation List +The IngressMTLS policy supports configuring at CRL for your policy. +This can be done in one of two ways. -You can optionally add the `ca.crl` field to the `nginx.org/ca` secret type, which accepts a base64 encoded certificate revocation list (crl) +> Note: Only one of these configurations options can be used at a time. + +1. Adding the `ca.crl` field to the `nginx.org/ca` secret type, which accepts a base64 encoded certificate revocation list (crl). +Example Yaml: +```yaml +kind: Secret +metadata: + name: ingress-mtls-secret +apiVersion: v1 +type: nginx.org/ca +data: + ca.crt: + ca.crl: +``` + +2. Adding the `Crl` field to your IngressMTLS policy spec with the name of the CRL. +Example Yaml: +```yaml +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: ingress-mtls-policy +spec: +ingressMTLS: + clientCertSecret: ingress-mtls-secret + crl: webapp.crl + verifyClient: "on" + verifyDepth: 1 +``` + +> Note: When using this configuration the Ingress Controller will expect the CRL to be located at /etc/nginx/secrets A VirtualServer that references an IngressMTLS policy must: * Enable [TLS termination](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualservertls). diff --git a/examples/custom-resources/ingress-mtls/README.md b/examples/custom-resources/ingress-mtls/README.md index 85b88e1470..dbe33b60e0 100644 --- a/examples/custom-resources/ingress-mtls/README.md +++ b/examples/custom-resources/ingress-mtls/README.md @@ -2,6 +2,9 @@ In this example, we deploy a web application, configure load balancing for it via a VirtualServer, and apply an Ingress MTLS policy. +> Note: The Ingress MTLS policy supports configuring a Certificate Revocation List (CRL). +> See [Using a Certificate Revocation List](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#using-a-certificate-revocation-list) for details on how to set this option. + ## Prerequisites 1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller. diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index ef063358b4..a3509fc7fd 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -5,5 +5,4 @@ apiVersion: v1 type: nginx.org/ca data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -# ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNakNDQWhvQ0NRQ1labU1VQ3Z4Q2FEQU5CZ2txaGtpRzl3MEJBUVVGQURCYk1Rc3dDUVlEVlFRR0V3SkoKUlRFUU1BNEdBMVVFQ0F3SFNYSmxiR0Z1WkRFTk1Bc0dBMVVFQnd3RVEyOXlhekVMTUFrR0ExVUVDZ3dDUmpVeApEakFNQmdOVkJBc01CVTVIU1U1WU1RNHdEQVlEVlFRRERBVk9SMGxPV0RBZUZ3MHlNekF6TVRNeE1qRXhORFphCkZ3MHlOREF6TVRJeE1qRXhORFphTUZzeEN6QUpCZ05WQkFZVEFrbEZNUkF3RGdZRFZRUUlEQWRKY21Wc1lXNWsKTVEwd0N3WURWUVFIREFSRGIzSnJNUXN3Q1FZRFZRUUtEQUpHTlRFT01Bd0dBMVVFQ3d3RlRrZEpUbGd4RGpBTQpCZ05WQkFNTUJVNUhTVTVZTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1Ujd4CjVGVnowTE1xdmxFNjR4UTUrc3RmMnV4V1gzVkhzZkJhVGZxTDNoQlZvajRQZWZhbnlib1JoTFMwWHRnUXI4Uy8KT1BZTUJOMlRiY2F5Mk4rMnhNNndESFVUcTEwdmNLVG5iUW03WmowbUo1QThVcmpQMGE1eE8rK1hxR0NPSkdKdwpmUmtzeUlkU1E2WTZBdkRZVjhjYUxHbjN6dXBLUjRoZ3BoS1R3SWQ0U2M2clA2aFB6OVNFaWtLSDN6TytTYUNaCkJoWUgzdFhPVkk0eDlGSlhBanJvaURjY0VMMzlrK1Z2bnNiYysrOG15bjBGQm9vWEswRmsxMXBHbUFUcWZxd0kKbWNvdUJXNURvcVlyUmZ1V2tzeGlUM1g5eEMrT2g5dTlJMnpWSkZ2L053RWRXWmdPSmhwYlM2OUhhbGpmbGNrTAp4NG5IdFY2dzRJanhnSGJISVFJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQlFVQUE0SUJBUUJUaWFJdFhHMWpJcTZNCktQZEMzUFN0RzVLYm82V1krTzRmNjl2UkhabE85WFQ2YUtpYmVjSDhONHk0eWJveTNkRERzSDlubzRJUHNsWlAKWXk3NmpsbElIbkxZZzVlU3d2MDEyb3dtRUNTY2d2MGVKb1U2YUdZdTRxVlg1ZUpvK005YjJQWEo3NklIck5WRgpaV2lzaGNQcDdjNDdVZ2hvZUxRRDh6TWdnbmwzTjVSTTVvZGtNbTRjZkVmTmo0bWpJZUlMNzBVUFNBTDkzZzBSCjZqZXdscnkrcnQ5VDl0ejdNdi9Hcys2THphaEVTNVpWWkRKcG1VTFRRR3JJUlBzUDVKbGo4N1QwRU9nd0kvRnQKTExrc3FUL3E5dUh2M2xQMUdoSjM3dTBsNFRCT3ovaUIyRTVKR3oxdmRXNFZXakNibGM4bDV5NU5KeWY2OGxJNQpIY0g3ZWFlKwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t # ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUN0RENCblFJQkFUQU5CZ2txaGtpRzl3MEJBUVVGQURCYk1Rc3dDUVlEVlFRR0V3SkNSVEVSTUE4R0ExVUUKQ0F3SVFuSjFjM05sYkhNeEVUQVBCZ05WQkFjTUNFSnlkWE56Wld4ek1SWXdGQVlEVlFRS0RBMUVhV1JwWlhKVApkR1YyWlc1ek1RNHdEQVlEVlFRRERBVkVVeUJEUVJjTk1qSXhNakF5TVRFeE5UTTNXaGNOTWpReE1qQXhNVEV4Ck5UTTNXcUFPTUF3d0NnWURWUjBVQkFNQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdnSUJBSWlsOHZBRkdPQ0EKNnpHQlljY2hGRWhoeWY1NWE4S1drWGJBWldUOWJDMjRYY3lDS1hGNGFOV2NLRHkzU2RUeUphUU9mdDRzeExkbwpvaElCbHZKOG91UVpacDBxdG1pRkt6ajNlK2h6ejF1TlJBaU5JSHFNcWFRNjA2b3pSR0hDSS9yZGxCT2RXcjMxCjBTQXJwblI3TG9NNjN5OFRRYURTdE1nVmJwd09Qdm5GYU01aWNybTZkbjd1Z2FBM2k3SE5EYVFCOHVFSmRnQ3IKenIxWmcrQ2p5Y3pUdEtTSkZCaVhVNVNVRjZlY3lPazQ4NVh0NEd5c2VDNVpobm1kT01udEhFblo4b3pjRkVlbAphYWlUUFFwcFB4QkJBdGJ5VytNUUlrbXUxVzVIVFN1Q21QdVlzZFdaMC9sYWdtQUhUY0hEbHp0WkNzeWxuSGtDCmVwK0lMRTdFb08yOHpienRyYWloc1R3UThnVTVHNlFNVkM1VERWTnV4RldPV2pOZHVQMHVaY1cvUm43MG5jSlIKWUJLdDQxbHN5eFBpY0Z2NHNOZVFoRUVxV2t6R2w5VzZLMnZxQTErOUFDcTRNYzhLakFWOWplQlFjNUE1MHV1NwpGaHdkLzlEMkVOeEV4QjRiSEYrejdyeDFScGN4cks5M3l4Z0lhL2ZFWUNXdElJMFU1WmJGbUw3bFpsRHR0dzlpCm5zb3UxZE5MalVwbk9USytNd3hVVXluRkIvUVV1SURQNGo5QkFMM2QvZk5KdFFOei9seFZZdXFZL0dkdlY3K2sKM05VWXQvU1Y0N01XR0JvQmZTTVIzNEtPK3FISi8rdW41V3l3WUU0bVVSby9CTEpWVXIwMXk2V1BDUkR2emFqawpaQnYzVW9EYlQ3WWlPL2piejB5NTJhcVU4UWtBM2VkMgotLS0tLUVORCBYNTA5IENSTC0tLS0t From 6b0a2de1ad4616c589c3904c1c1ef5798b739d9f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Mar 2023 14:10:49 +0000 Subject: [PATCH 09/32] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- examples/custom-resources/ingress-mtls/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/custom-resources/ingress-mtls/README.md b/examples/custom-resources/ingress-mtls/README.md index dbe33b60e0..2f679ff2b8 100644 --- a/examples/custom-resources/ingress-mtls/README.md +++ b/examples/custom-resources/ingress-mtls/README.md @@ -2,7 +2,7 @@ In this example, we deploy a web application, configure load balancing for it via a VirtualServer, and apply an Ingress MTLS policy. -> Note: The Ingress MTLS policy supports configuring a Certificate Revocation List (CRL). +> Note: The Ingress MTLS policy supports configuring a Certificate Revocation List (CRL). > See [Using a Certificate Revocation List](https://docs.nginx.com/nginx-ingress-controller/configuration/policy-resource/#using-a-certificate-revocation-list) for details on how to set this option. ## Prerequisites From fd532807a05d9781ecd746046ef3d742a2b33c9a Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 13 Mar 2023 14:12:44 +0000 Subject: [PATCH 10/32] Remove CRL from examples --- deployments/deployment/nginx-plus-ingress.yaml | 8 -------- .../ingress-mtls/ingress-mtls-secret.yaml | 3 +-- examples/custom-resources/ingress-mtls/ingress-mtls.yaml | 1 - 3 files changed, 1 insertion(+), 11 deletions(-) diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index bf235eab72..3151d1ff8e 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -24,11 +24,6 @@ spec: sysctls: - name: "net.ipv4.ip_unprivileged_port_start" value: "0" - volumes: - - name: crl-volume - hostPath: - path: /data/crl #local directory that contains the CRL - type: Directory containers: - image: nginx-plus-ingress:3.0.2 imagePullPolicy: IfNotPresent @@ -63,9 +58,6 @@ spec: capabilities: drop: - ALL - volumeMounts: - - mountPath: /etc/nginx/secrets - name: crl-volume env: - name: POD_NAMESPACE valueFrom: diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index a3509fc7fd..9c069e6b79 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -4,5 +4,4 @@ metadata: apiVersion: v1 type: nginx.org/ca data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -# ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUN0RENCblFJQkFUQU5CZ2txaGtpRzl3MEJBUVVGQURCYk1Rc3dDUVlEVlFRR0V3SkNSVEVSTUE4R0ExVUUKQ0F3SVFuSjFjM05sYkhNeEVUQVBCZ05WQkFjTUNFSnlkWE56Wld4ek1SWXdGQVlEVlFRS0RBMUVhV1JwWlhKVApkR1YyWlc1ek1RNHdEQVlEVlFRRERBVkVVeUJEUVJjTk1qSXhNakF5TVRFeE5UTTNXaGNOTWpReE1qQXhNVEV4Ck5UTTNXcUFPTUF3d0NnWURWUjBVQkFNQ0FRRXdEUVlKS29aSWh2Y05BUUVGQlFBRGdnSUJBSWlsOHZBRkdPQ0EKNnpHQlljY2hGRWhoeWY1NWE4S1drWGJBWldUOWJDMjRYY3lDS1hGNGFOV2NLRHkzU2RUeUphUU9mdDRzeExkbwpvaElCbHZKOG91UVpacDBxdG1pRkt6ajNlK2h6ejF1TlJBaU5JSHFNcWFRNjA2b3pSR0hDSS9yZGxCT2RXcjMxCjBTQXJwblI3TG9NNjN5OFRRYURTdE1nVmJwd09Qdm5GYU01aWNybTZkbjd1Z2FBM2k3SE5EYVFCOHVFSmRnQ3IKenIxWmcrQ2p5Y3pUdEtTSkZCaVhVNVNVRjZlY3lPazQ4NVh0NEd5c2VDNVpobm1kT01udEhFblo4b3pjRkVlbAphYWlUUFFwcFB4QkJBdGJ5VytNUUlrbXUxVzVIVFN1Q21QdVlzZFdaMC9sYWdtQUhUY0hEbHp0WkNzeWxuSGtDCmVwK0lMRTdFb08yOHpienRyYWloc1R3UThnVTVHNlFNVkM1VERWTnV4RldPV2pOZHVQMHVaY1cvUm43MG5jSlIKWUJLdDQxbHN5eFBpY0Z2NHNOZVFoRUVxV2t6R2w5VzZLMnZxQTErOUFDcTRNYzhLakFWOWplQlFjNUE1MHV1NwpGaHdkLzlEMkVOeEV4QjRiSEYrejdyeDFScGN4cks5M3l4Z0lhL2ZFWUNXdElJMFU1WmJGbUw3bFpsRHR0dzlpCm5zb3UxZE5MalVwbk9USytNd3hVVXluRkIvUVV1SURQNGo5QkFMM2QvZk5KdFFOei9seFZZdXFZL0dkdlY3K2sKM05VWXQvU1Y0N01XR0JvQmZTTVIzNEtPK3FISi8rdW41V3l3WUU0bVVSby9CTEpWVXIwMXk2V1BDUkR2emFqawpaQnYzVW9EYlQ3WWlPL2piejB5NTJhcVU4UWtBM2VkMgotLS0tLUVORCBYNTA5IENSTC0tLS0t + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== \ No newline at end of file diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls.yaml index 3ee9e2b3ee..af796bab1a 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls.yaml @@ -5,6 +5,5 @@ metadata: spec: ingressMTLS: clientCertSecret: ingress-mtls-secret - crl: webapp.crl verifyClient: "on" verifyDepth: 1 From ab2e0a9c49233d8297cc70b081e6445c92b1e580 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Mar 2023 14:13:54 +0000 Subject: [PATCH 11/32] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index 9c069e6b79..418bb5e937 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -4,4 +4,4 @@ metadata: apiVersion: v1 type: nginx.org/ca data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== \ No newline at end of file + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== From ca2af5ce3dc5018ab411c1e0624aa6268ee0ccc3 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 13 Mar 2023 14:49:39 +0000 Subject: [PATCH 12/32] Add crl option to list of fields in document --- docs/content/configuration/policy-resource.md | 1 + internal/configs/virtualserver.go | 2 +- internal/configs/virtualserver_test.go | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index db2ff6aad8..c29581e290 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -336,6 +336,7 @@ We use the `requestHeaders` of the [Action.Proxy](/nginx-ingress-controller/conf |``clientCertSecret`` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. | ``string`` | Yes | |``verifyClient`` | Verification for the client. Possible values are ``"on"``, ``"off"``, ``"optional"``, ``"optional_no_ca"``. The default is ``"on"``. | ``string`` | No | |``verifyDepth`` | Sets the verification depth in the client certificates chain. The default is ``1``. | ``int`` | No | +|``crl`` | The name of the Certificate Revocation List. The Ingress Controller will look for this file in `/etc/nginx/secrets` | ``string`` | No | {{% /table %}} #### IngressMTLS Merging Behavior diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index b22cbe5e35..a88900b7d8 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -910,7 +910,7 @@ func (p *policiesCfg) addIngressMTLSConfig( caFields := strings.Fields(secretRef.Path) if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey && ingressMTLS.Crl != "" { - res.addWarningf("Both ca.crl and ingressMTLS.Crl fields cannot be used") + res.addWarningf("Both ca.crl and ingressMTLS.crl fields cannot be used") res.isError = true return res } diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 8b235e0205..a5db5c2134 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -4070,7 +4070,7 @@ func TestGeneratePoliciesFails(t *testing.T) { }, expectedWarnings: Warnings{ nil: { - `Both ca.crl and ingressMTLS.Crl fields cannot be used`, + `Both ca.crl and ingressMTLS.crl fields cannot be used`, }, }, expectedOidc: &oidcPolicyCfg{}, From 320a11a5abd73aacc1cc8f57d4593fe7065a81a9 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Mon, 13 Mar 2023 15:01:26 +0000 Subject: [PATCH 13/32] Add crl to helm policy crd --- deployments/helm-chart/crds/k8s.nginx.org_policies.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml index 20fe9187b9..0b0d33b37b 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml @@ -92,6 +92,8 @@ spec: properties: clientCertSecret: type: string + crl: + type: string verifyClient: type: string verifyDepth: @@ -260,6 +262,8 @@ spec: properties: clientCertSecret: type: string + crl: + type: string verifyClient: type: string verifyDepth: From 47393ab76a946659892c4ce9e587bc686af40ab0 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 14 Mar 2023 10:16:14 +0000 Subject: [PATCH 14/32] Update CRDs --- deployments/common/crds/k8s.nginx.org_policies.yaml | 2 -- deployments/helm-chart/crds/k8s.nginx.org_policies.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml index 0b0d33b37b..84f70c2b08 100644 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ b/deployments/common/crds/k8s.nginx.org_policies.yaml @@ -262,8 +262,6 @@ spec: properties: clientCertSecret: type: string - crl: - type: string verifyClient: type: string verifyDepth: diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml index 0b0d33b37b..84f70c2b08 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml @@ -262,8 +262,6 @@ spec: properties: clientCertSecret: type: string - crl: - type: string verifyClient: type: string verifyDepth: From 37bf5ce34a0679ec986cc2e7539126849f35fdcb Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 14 Mar 2023 11:03:18 +0000 Subject: [PATCH 15/32] Make ingressMTLS.crl in policy override ca.crl in secret when both are set --- .../ingress-mtls/ingress-mtls-secret.yaml | 2 +- internal/configs/virtualserver.go | 12 +++++------- internal/configs/virtualserver_test.go | 11 ++++++++--- 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index 418bb5e937..9c069e6b79 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -4,4 +4,4 @@ metadata: apiVersion: v1 type: nginx.org/ca data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== \ No newline at end of file diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index a88900b7d8..b883ee87bb 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -910,22 +910,20 @@ func (p *policiesCfg) addIngressMTLSConfig( caFields := strings.Fields(secretRef.Path) if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey && ingressMTLS.Crl != "" { - res.addWarningf("Both ca.crl and ingressMTLS.crl fields cannot be used") - res.isError = true - return res + res.addWarningf("Both ca.crl and ingressMTLS.crl fields cannot be used. ca.crl will be ignored and %s will be applied", polKey) } - if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey { + if ingressMTLS.Crl != "" { p.IngressMTLS = &version2.IngressMTLS{ ClientCert: caFields[0], - ClientCrl: caFields[1], + ClientCrl: fmt.Sprintf("%s/%s", DefaultSecretPath, ingressMTLS.Crl), VerifyClient: verifyClient, VerifyDepth: verifyDepth, } - } else if ingressMTLS.Crl != "" { + } else if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey { p.IngressMTLS = &version2.IngressMTLS{ ClientCert: caFields[0], - ClientCrl: fmt.Sprintf("%s/%s", DefaultSecretPath, ingressMTLS.Crl), + ClientCrl: caFields[1], VerifyClient: verifyClient, VerifyDepth: verifyDepth, } diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index a5db5c2134..96d55c293f 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -3339,6 +3339,7 @@ func TestGeneratePoliciesFails(t *testing.T) { rejectCodeOverride := 505 ingressMTLSCertPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crt" + ingressMTLSCrlPath := "/etc/nginx/secrets/default-ingress-mtls-secret-ca.crl" tests := []struct { policyRefs []conf_v1.PolicyReference @@ -4064,13 +4065,17 @@ func TestGeneratePoliciesFails(t *testing.T) { }, context: "spec", expected: policiesCfg{ - ErrorReturn: &version2.Return{ - Code: 500, + IngressMTLS: &version2.IngressMTLS{ + ClientCert: ingressMTLSCertPath, + ClientCrl: ingressMTLSCrlPath, + VerifyClient: "on", + VerifyDepth: 1, }, + ErrorReturn: nil, }, expectedWarnings: Warnings{ nil: { - `Both ca.crl and ingressMTLS.crl fields cannot be used`, + `Both ca.crl and ingressMTLS.crl fields cannot be used. ca.crl will be ignored and default/ingress-mtls-policy will be applied`, }, }, expectedOidc: &oidcPolicyCfg{}, From b638538228fe3aab56c10fea27ec0c562ac41a64 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 14 Mar 2023 11:05:12 +0000 Subject: [PATCH 16/32] Add new line --- examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml index 9c069e6b79..418bb5e937 100644 --- a/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml +++ b/examples/custom-resources/ingress-mtls/ingress-mtls-secret.yaml @@ -4,4 +4,4 @@ metadata: apiVersion: v1 type: nginx.org/ca data: - ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== \ No newline at end of file + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== From 9451e6f9915c6664e9e603dd854e766dfca606ef Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 14 Mar 2023 17:05:57 +0000 Subject: [PATCH 17/32] Add tests for CRL --- tests/suite/test_ingress_mtls.py | 166 ++++++++++++++++++++++++++++++- 1 file changed, 165 insertions(+), 1 deletion(-) diff --git a/tests/suite/test_ingress_mtls.py b/tests/suite/test_ingress_mtls.py index 170af4ab57..2610078acd 100644 --- a/tests/suite/test_ingress_mtls.py +++ b/tests/suite/test_ingress_mtls.py @@ -33,6 +33,13 @@ invalid_crt = f"{TEST_DATA}/ingress-mtls/client-auth/invalid/client-cert.pem" invalid_key = f"{TEST_DATA}/ingress-mtls/client-auth/invalid/client-cert.pem" +mtls_secret_crl = f"{TEST_DATA}/ingress-mtls/secret/ingress-mtls-secret-crl.yaml" +mtls_pol_crl = f"{TEST_DATA}/ingress-mtls/policies/ingress-mtls-crl.yaml" + +crt_not_revoked = f"{TEST_DATA}/ingress-mtls/client-auth/not-revoked/client-cert.pem" +key_not_revoked = f"{TEST_DATA}/ingress-mtls/client-auth/not-revoked/client-key.pem" +crt_revoked = f"{TEST_DATA}/ingress-mtls/client-auth/revoked/client-cert.pem" +key_revoked = f"{TEST_DATA}/ingress-mtls/client-auth/revoked/client-key.pem" def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): print(f"Create ingress-mtls secret") @@ -53,7 +60,7 @@ def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret delete_secret(kube_apis.v1, mtls_secret, test_namespace) -@pytest.mark.policies +@pytest.mark.smoke @pytest.mark.parametrize( "crd_ingress_controller, virtual_server_setup", [ @@ -224,6 +231,163 @@ def test_ingress_mtls_policy_cert( virtual_server_setup.namespace, ) assert resp.status_code == expected_code and expected_text in resp.text and exception in ssl_exception + + @pytest.mark.sslcrl + @pytest.mark.parametrize( + "policy_src, vs_src, mtls_secret_in, expected_code, expected_text, vs_message, vs_state", + [ + ( + mtls_pol_valid_src, + mtls_vs_spec_src, + mtls_secret_crl, + 200, + "Server address:", + "added or updated", + "Valid", + ), + ( + mtls_pol_crl, + mtls_vs_spec_src, + mtls_sec_valid_src, + 404, + "Not Found", + "added or updated", + "Invalid", + ), + ( + mtls_pol_crl, + mtls_vs_spec_src, + mtls_secret_crl, + 404, + "Not Found", + "added or updated ; with warning(s)", + "Invalid", + ), + ], + ) + def test_ingress_mtls_polciy_crl( + self, + kube_apis, + crd_ingress_controller, + virtual_server_setup, + test_namespace, + policy_src, + mtls_secret_in, + vs_src, + expected_code, + expected_text, + vs_message, + vs_state,): + + session = create_sni_session() + mtls_secret, tls_secret, pol_name = setup_policy( + kube_apis, + test_namespace, + mtls_secret_in, + tls_sec_valid_src, + policy_src, + ) + + print(f"Patch vs with policy: {policy_src}") + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + vs_src, + virtual_server_setup.namespace, + ) + wait_before_test() + resp = session.get( + virtual_server_setup.backend_1_url_ssl, + cert=(crt_not_revoked, key_not_revoked), + headers={"host": virtual_server_setup.vs_host}, + allow_redirects=False, + verify=False, + ) + print("--------------------------") + print(f"RESPONSE Text: {resp.text}") + print("--------------------------") + vs_res = read_vs(kube_apis.custom_objects, test_namespace, virtual_server_setup.vs_name) + teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret) + + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + std_vs_src, + virtual_server_setup.namespace, + ) + assert ( + resp.status_code == expected_code + and expected_text in resp.text + and vs_message in vs_res["status"]["message"] + and vs_res["status"]["state"] == vs_state + ) + + # @pytest.mark.sslcrl + @pytest.mark.parametrize( + "certificate, expected_code, expected_text, exception", + [ + ((crt_not_revoked, key_not_revoked), 200, "Server address:", ""), + ("", 400, "No required SSL certificate was sent", ""), + ((crt_revoked, key_revoked), 400, "The SSL certificate error", ""), + ], + ) + def test_ingress_mtls_policy_cert_crl( + self, + kube_apis, + crd_ingress_controller, + virtual_server_setup, + test_namespace, + certificate, + expected_code, + expected_text, + exception, + ): + """ + Test ingress-mtls with valid and invalid policy + """ + session = create_sni_session() + mtls_secret, tls_secret, pol_name = setup_policy( + kube_apis, + test_namespace, + mtls_secret_crl, + tls_sec_valid_src, + mtls_pol_valid_src, + ) + + print(f"Patch vs with policy: {mtls_pol_valid_src}") + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + mtls_vs_spec_src, + virtual_server_setup.namespace, + ) + wait_before_test() + ssl_exception = "" + resp = "" + try: + resp = session.get( + virtual_server_setup.backend_1_url_ssl, + cert=certificate, + headers={"host": virtual_server_setup.vs_host}, + allow_redirects=False, + verify=False, + ) + except requests.exceptions.SSLError as e: + print(f"SSL certificate exception: {e}") + ssl_exception = str(e) + resp = mock.Mock() + resp.status_code = "None" + resp.text = "None" + + teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret) + + patch_virtual_server_from_yaml( + kube_apis.custom_objects, + virtual_server_setup.vs_name, + std_vs_src, + virtual_server_setup.namespace, + ) + assert resp.status_code == expected_code and expected_text in resp.text and exception in ssl_exception @pytest.mark.policies From b1e2859f41748c7398b3cba73546f0d764dcd859 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 17:06:34 +0000 Subject: [PATCH 18/32] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- tests/suite/test_ingress_mtls.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tests/suite/test_ingress_mtls.py b/tests/suite/test_ingress_mtls.py index 2610078acd..7b11344ea1 100644 --- a/tests/suite/test_ingress_mtls.py +++ b/tests/suite/test_ingress_mtls.py @@ -41,6 +41,7 @@ crt_revoked = f"{TEST_DATA}/ingress-mtls/client-auth/revoked/client-cert.pem" key_revoked = f"{TEST_DATA}/ingress-mtls/client-auth/revoked/client-key.pem" + def setup_policy(kube_apis, test_namespace, mtls_secret, tls_secret, policy): print(f"Create ingress-mtls secret") mtls_secret_name = create_secret_from_yaml(kube_apis.v1, test_namespace, mtls_secret) @@ -231,11 +232,11 @@ def test_ingress_mtls_policy_cert( virtual_server_setup.namespace, ) assert resp.status_code == expected_code and expected_text in resp.text and exception in ssl_exception - + @pytest.mark.sslcrl @pytest.mark.parametrize( "policy_src, vs_src, mtls_secret_in, expected_code, expected_text, vs_message, vs_state", - [ + [ ( mtls_pol_valid_src, mtls_vs_spec_src, @@ -277,8 +278,8 @@ def test_ingress_mtls_polciy_crl( expected_code, expected_text, vs_message, - vs_state,): - + vs_state, + ): session = create_sni_session() mtls_secret, tls_secret, pol_name = setup_policy( kube_apis, From b521b450d57de68721c2fb6c21b3b78df5278245 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 14 Mar 2023 17:07:21 +0000 Subject: [PATCH 19/32] Add test data files for CRL --- .../ingress-mtls/client-auth/crl/webapp.crl | 19 +++ .../client-auth/not-revoked/client-cert.pem | 108 ++++++++++++++++++ .../client-auth/not-revoked/client-key.pem | 28 +++++ .../client-auth/revoked/client-cert.pem | 108 ++++++++++++++++++ .../client-auth/revoked/client-key.pem | 28 +++++ .../policies/ingress-mtls-crl.yaml | 10 ++ .../secret/ingress-mtls-secret-crl.yaml | 8 ++ 7 files changed, 309 insertions(+) create mode 100644 tests/data/ingress-mtls/client-auth/crl/webapp.crl create mode 100644 tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem create mode 100644 tests/data/ingress-mtls/client-auth/not-revoked/client-key.pem create mode 100644 tests/data/ingress-mtls/client-auth/revoked/client-cert.pem create mode 100644 tests/data/ingress-mtls/client-auth/revoked/client-key.pem create mode 100644 tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml create mode 100644 tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml diff --git a/tests/data/ingress-mtls/client-auth/crl/webapp.crl b/tests/data/ingress-mtls/client-auth/crl/webapp.crl new file mode 100644 index 0000000000..a836c07e04 --- /dev/null +++ b/tests/data/ingress-mtls/client-auth/crl/webapp.crl @@ -0,0 +1,19 @@ +-----BEGIN X509 CRL----- +MIIDBDCB7TANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMxETAPBgNVBAgM +CE1hcnlsYW5kMRIwEAYDVQQHDAlCYWx0aW1vcmUxGTAXBgNVBAoMEFRlc3QgQ0Es +IExpbWl0ZWQxIzAhBgNVBAsMGlNlcnZlciBSZXNlYXJjaCBEZXBhcnRtZW50MRAw +DgYDVQQDDAdUZXN0IENBMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4YW1wbGUuY29t +Fw0yMzAzMTMxODAyMjJaFw0yMzA0MTIxODAyMjJaMBQwEgIBAhcNMjMwMzEzMTgw +MjEyWjANBgkqhkiG9w0BAQsFAAOCAgEARsCPzIZjRkuKPej4Tu79kzENW/E6976c +Xk7h5tKhLwN54NUtt3JRLpVPApPXgO7auZ9kIbX/Di+rzK8WpPehTIx4oTlrKclZ +OXl3tPYBgvg2G5qhTw2P/N4C35O1gmZYKYqXxGzJ9AVu9ZcWRRczUB9yZfTupDh8 +6JtNwbBUZNGiR2FEyJ/XSPB1UyrAkb2VMN7A5XFHi+yYqkKlkpSKhcOcyFqzE0/q +D9WV7zrmT20uMXkeBUm9XHjXtWE20oMODPGDDA5H6FZi/NH1pSkKTcx8R7X4fehV +9BTMYyTCVpUIIHndou4v1RIvPriE/OPlxP0cDVB6euWDWogIvr2Y4izyGtstZZoN +Md0QcXWMXSR0wShBtD5Lb9r0K8LOKnyuQTUSGivncbFj6MQ4NSqM14Iw3d8z0zj0 +89oxAQXMkojvm6IeyY/aJUZqIOvNz1xdhnd5smZChAGSULxgXleaGF87W+v18nJT +8/7sUbsOQGQ+uP9tcWpf3rlx1UD5dgUoJlwkRMzgOoAv07rdqdldd8AWVbwLryFv +4DuLMNUDD+lObWq4T7A4NsoSZvPnj+Np83/uBXE/Ffozbic2R8VIoSKGcaX8thfa +joPL5JkxjFFzfFrp02/WFSMwq3slkBBjHadwjMq6bBry142aiNQn8p4lkvWWDoQ+ +igkH3EDgCVc= +-----END X509 CRL----- diff --git a/tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem b/tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem new file mode 100644 index 0000000000..5c30524153 --- /dev/null +++ b/tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem @@ -0,0 +1,108 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Maryland, L=Baltimore, O=Test CA, Limited, OU=Server Research Department, CN=Test CA/emailAddress=test@example.com + Validity + Not Before: Mar 13 17:58:36 2023 GMT + Not After : Mar 12 17:58:36 2024 GMT + Subject: C=US, ST=MD, L=Baltimore, O=Test Server, Limited, CN=Test Server + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:a7:85:20:1a:81:39:bf:55:a7:2b:2b:c7:bf:fa: + 9f:e2:26:7e:f2:21:61:fa:d9:39:4e:ab:0e:38:6e: + fe:5d:e2:5a:fc:99:1b:42:30:b7:ee:21:50:4b:cc: + 79:bd:ee:9f:2c:5b:69:76:99:b5:00:69:4f:9c:70: + 7b:9e:4e:be:2e:63:d0:69:ec:bc:b2:4d:ba:40:f4: + 00:38:0a:75:26:8a:17:9f:e5:b6:37:9e:3e:34:da: + 1e:52:7f:e8:88:8b:30:26:3f:1e:5d:b3:0d:1a:c8: + 70:02:65:ef:ad:d1:66:a9:e3:eb:d5:2d:02:98:5c: + 54:e1:e2:91:30:57:68:7e:f3:c2:8d:14:9a:c7:19: + 0e:3f:af:03:24:e1:0f:c2:7d:22:b7:6b:36:c2:fd: + 4c:e1:a9:d9:1f:fc:ec:05:c3:95:dd:17:96:9e:d0: + 99:30:2d:07:6f:b7:6a:ea:11:63:b6:b2:09:50:1c: + 35:83:a6:90:95:c2:c1:73:6a:5d:87:ad:27:0f:b1: + 51:a3:73:c4:b5:2b:05:f8:3b:4a:63:1c:dd:dd:b7: + 2f:b4:58:49:42:3f:7e:4a:3e:89:68:7f:06:b5:52: + 04:3f:8c:db:7e:ce:5e:1e:64:39:ad:d0:93:24:f7: + 55:c8:aa:4e:85:a1:5b:a5:8d:44:cf:15:1e:6a:b1: + 00:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 60:B1:14:DA:79:DA:4E:5C:A7:8F:C9:E1:4F:53:E4:0A:03:71:0F:22 + X509v3 Authority Key Identifier: + keyid:90:AA:F8:42:B6:84:01:09:18:39:76:A1:59:BF:19:29:04:94:6C:2B + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:example.com, DNS:webapp.example.com, DNS:mail.example.com, DNS:ftp.example.com + Netscape Comment: + OpenSSL Generated Certificate + Signature Algorithm: sha256WithRSAEncryption + 44:6a:06:f7:ba:cb:1d:fa:c9:bf:ab:62:7c:f0:e3:2c:a3:11: + 2a:aa:17:85:3a:b7:ba:0f:ab:03:65:63:a8:a8:d4:33:a6:85: + 16:ce:b6:96:3b:dc:d2:c2:8a:36:75:f5:7b:e6:a8:9b:1d:e7: + c6:fb:24:97:51:47:df:e2:ae:7b:76:0f:ef:29:aa:f5:1f:14: + b4:89:2f:16:51:f8:19:05:35:43:c4:ea:2b:69:7d:07:56:39: + 73:56:bf:86:6b:5a:90:32:2b:0a:3a:26:92:f9:01:37:30:4d: + 13:4f:f5:c6:3b:dc:23:f6:cb:4e:f0:0a:25:75:0b:26:92:70: + 12:ec:af:1b:1b:21:25:bf:5b:0c:81:97:2b:22:57:c2:5a:c7: + 6a:c6:1d:e8:f9:b9:ae:8e:ca:51:14:4f:7e:d4:21:43:a9:f7: + 43:87:53:83:7e:6e:e5:04:65:72:09:f6:b0:f6:45:c7:9c:31: + 03:88:bb:56:3d:c6:a8:fa:2f:f3:4c:92:5a:89:a1:5c:2e:14: + dd:8f:1b:7f:67:a3:63:52:11:20:1a:5b:a9:a4:68:80:ec:4b: + ee:40:f6:b2:c8:a1:d5:d1:af:eb:de:3d:c8:cb:f2:75:6e:12: + 53:1b:70:f9:db:ef:4d:e4:76:17:80:7a:4f:be:5f:b2:dc:33: + 85:81:fc:27:8f:da:cd:dd:4c:bd:31:50:eb:4a:cb:db:9b:c2: + 1c:db:43:86:e1:ca:15:1d:58:47:33:14:9a:80:7e:53:8b:52: + 1d:f9:98:84:10:df:5a:d7:0e:ef:c7:6d:aa:14:f0:09:fa:67: + 94:50:8f:d5:e1:07:5c:8b:bb:2f:73:49:50:ef:1e:d9:12:27: + 20:fb:bb:52:70:0c:d6:00:d2:bd:62:ff:1d:8c:07:91:c4:34: + 65:dd:9b:f1:40:67:db:d7:ad:d1:7a:96:f4:61:91:42:f4:9d: + a4:70:a8:31:70:97:1a:19:9d:ca:0d:41:b4:cc:95:0d:00:0b: + 6b:a0:28:ce:74:ee:69:73:b3:fc:58:13:7b:40:9b:29:99:94: + ba:26:91:20:33:89:44:46:58:b3:36:be:e3:18:20:6b:52:3c: + 7a:90:5f:82:a5:aa:f0:cc:6e:4d:26:9d:6e:2d:b6:2c:a6:7c: + 80:a9:d6:9d:34:e3:ac:bb:f0:e8:78:8d:93:2f:6f:31:3f:5f: + 91:5c:fc:d8:8c:bc:5a:8e:f0:67:c1:df:6b:08:5e:34:56:93: + 19:6a:c0:51:a4:9b:b3:3f:38:2e:c1:17:45:00:74:d9:3d:45: + b2:1b:76:e8:52:4f:e6:1f:7e:62:c7:b6:82:78:4e:40:56:cf: + 6b:93:f8:7d:be:27:0a:f2 +-----BEGIN CERTIFICATE----- +MIIFXzCCA0egAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +ETAPBgNVBAgMCE1hcnlsYW5kMRIwEAYDVQQHDAlCYWx0aW1vcmUxGTAXBgNVBAoM +EFRlc3QgQ0EsIExpbWl0ZWQxIzAhBgNVBAsMGlNlcnZlciBSZXNlYXJjaCBEZXBh +cnRtZW50MRAwDgYDVQQDDAdUZXN0IENBMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4 +YW1wbGUuY29tMB4XDTIzMDMxMzE3NTgzNloXDTI0MDMxMjE3NTgzNlowYzELMAkG +A1UEBhMCVVMxCzAJBgNVBAgMAk1EMRIwEAYDVQQHDAlCYWx0aW1vcmUxHTAbBgNV +BAoMFFRlc3QgU2VydmVyLCBMaW1pdGVkMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKeFIBqBOb9Vpysrx7/6n+Im +fvIhYfrZOU6rDjhu/l3iWvyZG0Iwt+4hUEvMeb3unyxbaXaZtQBpT5xwe55Ovi5j +0GnsvLJNukD0ADgKdSaKF5/ltjeePjTaHlJ/6IiLMCY/Hl2zDRrIcAJl763RZqnj +69UtAphcVOHikTBXaH7zwo0UmscZDj+vAyThD8J9IrdrNsL9TOGp2R/87AXDld0X +lp7QmTAtB2+3auoRY7ayCVAcNYOmkJXCwXNqXYetJw+xUaNzxLUrBfg7SmMc3d23 +L7RYSUI/fko+iWh/BrVSBD+M237OXh5kOa3QkyT3VciqToWhW6WNRM8VHmqxAP8C +AwEAAaOB2DCB1TAdBgNVHQ4EFgQUYLEU2nnaTlynj8nhT1PkCgNxDyIwHwYDVR0j +BBgwFoAUkKr4QraEAQkYOXahWb8ZKQSUbCswCQYDVR0TBAIwADALBgNVHQ8EBAMC +BaAwTQYDVR0RBEYwRIILZXhhbXBsZS5jb22CEndlYmFwcC5leGFtcGxlLmNvbYIQ +bWFpbC5leGFtcGxlLmNvbYIPZnRwLmV4YW1wbGUuY29tMCwGCWCGSAGG+EIBDQQf +Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOC +AgEARGoG97rLHfrJv6tifPDjLKMRKqoXhTq3ug+rA2VjqKjUM6aFFs62ljvc0sKK +NnX1e+aomx3nxvskl1FH3+Kue3YP7ymq9R8UtIkvFlH4GQU1Q8TqK2l9B1Y5c1a/ +hmtakDIrCjomkvkBNzBNE0/1xjvcI/bLTvAKJXULJpJwEuyvGxshJb9bDIGXKyJX +wlrHasYd6Pm5ro7KURRPftQhQ6n3Q4dTg35u5QRlcgn2sPZFx5wxA4i7Vj3GqPov +80ySWomhXC4U3Y8bf2ejY1IRIBpbqaRogOxL7kD2ssih1dGv6949yMvydW4SUxtw ++dvvTeR2F4B6T75fstwzhYH8J4/azd1MvTFQ60rL25vCHNtDhuHKFR1YRzMUmoB+ +U4tSHfmYhBDfWtcO78dtqhTwCfpnlFCP1eEHXIu7L3NJUO8e2RInIPu7UnAM1gDS +vWL/HYwHkcQ0Zd2b8UBn29et0XqW9GGRQvSdpHCoMXCXGhmdyg1BtMyVDQALa6Ao +znTuaXOz/FgTe0CbKZmUuiaRIDOJREZYsza+4xgga1I8epBfgqWq8MxuTSadbi22 +LKZ8gKnWnTTjrLvw6HiNky9vMT9fkVz82Iy8Wo7wZ8HfawheNFaTGWrAUaSbsz84 +LsEXRQB02T1Fsht26FJP5h9+Yse2gnhOQFbPa5P4fb4nCvI= +-----END CERTIFICATE----- diff --git a/tests/data/ingress-mtls/client-auth/not-revoked/client-key.pem b/tests/data/ingress-mtls/client-auth/not-revoked/client-key.pem new file mode 100644 index 0000000000..bbef35f917 --- /dev/null +++ b/tests/data/ingress-mtls/client-auth/not-revoked/client-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnhSAagTm/Vacr +K8e/+p/iJn7yIWH62TlOqw44bv5d4lr8mRtCMLfuIVBLzHm97p8sW2l2mbUAaU+c +cHueTr4uY9Bp7LyyTbpA9AA4CnUmihef5bY3nj402h5Sf+iIizAmPx5dsw0ayHAC +Ze+t0Wap4+vVLQKYXFTh4pEwV2h+88KNFJrHGQ4/rwMk4Q/CfSK3azbC/Uzhqdkf +/OwFw5XdF5ae0JkwLQdvt2rqEWO2sglQHDWDppCVwsFzal2HrScPsVGjc8S1KwX4 +O0pjHN3dty+0WElCP35KPolofwa1UgQ/jNt+zl4eZDmt0JMk91XIqk6FoVuljUTP +FR5qsQD/AgMBAAECggEAAnGSslBIQ15AfgS5eTdytZ3SJD4Qa9RXXappHrGfzEbN +BPpGx4RmanbZ8QEelYKxl7gNpclANq1Sl/mcFAcaBxs1oxXs+rzfhqsIhcjBRLqm +9ZIoQk9woNy9rH5pKfS90xEApGVEP6vE1oQeJu7zDG9itU1eyFIwessPSyE7SP7H +Pae6gTgb0KUyobs2IwER+2e8vwnb2wZXgiazIemPo6RKpydBVpKSgI+pR4Yr5NrY +ZhGCKs0U9EyeT5JwFNYsbU2noaw9Anty7i2BU5Im/6NyJC5Q59QvqFyWGf7RG7Mq +blz+uvnuooWUoSp4FT7sPZNCHRcHbsS1Y0Kol/RHwQKBgQDdTb2wkEvnJPNs8Hlk +ouE2LXuvtwB0DopLN0W1TIazOeN6yPFlVC61E98GeVZO4DLrINrbTyED1fgtCioM +6Qbh4BhJHCG8PQPLug2TjLZs3f4kADey2jTfkvdD2yYdDFK5jv001NBG86mjIFOb +5pShh+Pb/NMTAkuYpZX4QNpnmQKBgQDByLhYSWHDSZdcpoWyBy95zPTXtZmHLqbo +0rOoGXQrJviVBY/OrweskNKLOBujjxGG6R8DXFrFJjLZ+8unk1WY38bXb8paN8M7 +8xU2A4b1VuagsMqbMAzmVb2B6kooLtCpnF0D3CiBFlHYOi5wW5KBxsz1HnU9cfJd ++lrFD+WsVwKBgQDDRamvdmPDXZN9+OLkreRTTebpsWyw+3OD0w2rYA8rblUPLufy +JUnhddtBdyd1CddkKeVzxmq3W8JU27cnFSeBf59uQ2hxFNWYml8IZw1BGtD5K0f6 +hRhKfv+33FPRJeKI4WcDixUMxkxVKF0eH2Pe9G1W28vT5h6WXuXp3C/bYQKBgGM3 +tQMnF1IY1NHQRPXA7hLr2JS1W1U2kqj0cJ3p4mvRuUb7oQTO4xv8zoAPiz80GmI7 +6/AZkjQM+c5YOI6lRhdOxA08JJwKnwCL1llgdvIYu16dBi9s673nOm9RGQT360hc +UdePGoH1fpQ6PdqzWBDwS7JZFOgP9msdquno2MxjAoGAIvW6rXq5WVNjs2bOIpL3 +SI9QxZ9dlhCyRf14T2+2h4GoenkSaiQoLhJ5BHy2ydQUUM4u0EEjkLz/xLxmh6uS +n8b2suXTBdHCp6C73FVc8JvBUWEfj4W8a1tLO53DcbW0YVmk6mL7otw8WBi6LqJz +nCrwLitwRCcXPXDcA32ZpU4= +-----END PRIVATE KEY----- diff --git a/tests/data/ingress-mtls/client-auth/revoked/client-cert.pem b/tests/data/ingress-mtls/client-auth/revoked/client-cert.pem new file mode 100644 index 0000000000..20d95b711f --- /dev/null +++ b/tests/data/ingress-mtls/client-auth/revoked/client-cert.pem @@ -0,0 +1,108 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Maryland, L=Baltimore, O=Test CA, Limited, OU=Server Research Department, CN=Test CA/emailAddress=test@example.com + Validity + Not Before: Mar 13 17:58:49 2023 GMT + Not After : Mar 12 17:58:49 2024 GMT + Subject: C=US, ST=MD, L=Baltimore, O=Test Server, Limited, CN=Test Server + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b2:0f:05:bb:7a:78:62:15:44:db:ae:fc:c1:4a: + 84:94:dc:04:2e:47:64:f3:16:f1:db:d6:87:25:72: + ac:3d:75:d1:66:4c:6a:7b:b6:40:6b:83:41:c1:0d: + 35:08:11:23:a0:e1:60:17:41:0f:98:28:aa:06:28: + bc:06:3b:70:49:4d:93:09:84:0e:7b:83:ee:2e:51: + 93:5f:c3:d6:8c:4a:c9:7b:88:08:2e:58:1a:d4:01: + 2c:e9:35:9d:37:57:28:54:ff:10:95:47:d6:e4:4d: + 4d:5f:ea:eb:4e:59:15:d7:df:83:1d:78:f7:97:96: + 69:84:61:ff:ed:b9:b9:ab:b5:51:aa:f1:29:87:07: + 4e:f2:40:d6:dd:07:e8:1b:38:fb:01:90:a5:91:dd: + 20:a5:23:7c:2a:ad:d0:06:12:b4:d2:8f:14:9b:95: + 79:38:54:27:62:1f:7a:27:d7:39:11:fe:ec:43:04: + 1e:58:fe:1b:98:0a:78:f1:2e:fc:9f:aa:3a:ea:c4: + b4:c1:e2:9c:97:23:59:29:dc:ae:e4:42:d8:0b:6d: + d3:f5:ee:7b:70:48:22:79:c4:12:cf:b1:9e:32:47: + c0:e0:77:c9:52:59:0d:54:7f:0c:36:e8:ee:7e:1a: + 13:f1:cd:6b:4a:56:63:0a:b2:1b:b2:55:64:0c:45: + 1f:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 32:E3:A1:81:20:9D:8A:37:D3:F4:04:A4:18:20:3E:97:29:A3:D6:9B + X509v3 Authority Key Identifier: + keyid:90:AA:F8:42:B6:84:01:09:18:39:76:A1:59:BF:19:29:04:94:6C:2B + + X509v3 Basic Constraints: + CA:FALSE + X509v3 Key Usage: + Digital Signature, Key Encipherment + X509v3 Subject Alternative Name: + DNS:example.com, DNS:webapp.example.com, DNS:mail.example.com, DNS:ftp.example.com + Netscape Comment: + OpenSSL Generated Certificate + Signature Algorithm: sha256WithRSAEncryption + 50:37:17:f3:ee:44:32:55:d7:29:5e:79:d2:f7:c2:12:f2:dd: + 5f:63:5e:fb:2d:97:0f:69:0a:f9:62:7f:2e:b0:e7:d5:00:3e: + f4:78:03:0d:fa:ac:de:c1:cb:69:c0:f3:c8:15:b0:71:1e:79: + f7:b8:0a:b9:76:e9:54:da:5e:20:04:7a:4b:f1:99:e1:fa:2b: + 3c:63:4a:67:a8:ef:7b:99:0d:95:fc:65:c4:b3:ff:25:25:97: + fc:33:45:a7:07:94:2f:09:9a:24:82:24:27:09:66:31:fe:cd: + 04:7c:4d:e1:2e:82:b0:a8:e9:37:e4:7b:6c:4c:06:19:04:0f: + 82:2d:8b:91:4c:4e:fd:87:ac:56:77:02:da:3f:36:08:0d:57: + 78:f0:14:2f:31:a0:74:30:cd:6a:58:de:9e:fa:a7:ce:a8:f5: + 7f:f4:2c:70:3c:a7:86:3d:2e:49:c8:06:a2:91:88:5e:98:d2: + d6:13:97:13:2f:53:e0:42:16:e1:e0:1e:09:e8:39:d7:4f:0b: + 14:d0:c6:33:28:08:f7:01:7c:69:a3:21:cf:8f:2d:bf:08:64: + 1a:fd:88:34:f9:7a:fd:b2:71:ba:9e:32:37:44:bb:6e:e3:a0: + 35:6a:e8:bf:cb:20:35:53:95:4d:46:ae:f6:a5:ab:d6:a1:13: + e2:ab:55:8e:eb:a2:25:d0:e0:ff:d3:d5:d5:7f:15:d2:72:b1: + a9:27:05:f5:fa:20:4c:74:f2:e4:af:8f:cf:a0:c4:03:86:f7: + f2:90:1f:77:87:92:1e:80:2c:8f:e9:26:a3:39:d7:04:9e:e5: + 2d:04:bb:05:43:a4:53:2b:b0:ec:f1:d0:5e:4a:81:64:84:3f: + ff:0a:32:74:d7:39:a7:54:83:ac:61:54:77:5f:fc:a2:5c:a3: + 98:9f:0c:fe:82:aa:40:3e:b2:93:f2:cf:4e:d8:21:d1:e0:16: + ac:cd:3c:57:88:e4:43:77:1a:1b:b8:d4:2b:fa:a6:93:60:d1: + b5:7f:ce:e0:6d:2d:21:cf:e2:2e:17:3b:d9:7a:62:78:9f:8f: + 26:1e:3e:e4:c6:13:22:12:9c:cc:9d:ad:34:6f:ac:bb:91:35: + e1:5e:22:fb:fe:db:5f:32:96:3b:e1:e2:e1:e1:6f:b6:29:20: + a4:df:9b:21:13:5c:88:5c:f6:f6:22:8f:a7:35:f4:3c:0c:e0: + 10:88:35:72:4f:ff:38:44:3e:4f:7f:4b:e6:54:c0:41:2c:1c: + aa:28:92:a9:78:11:c9:31:99:b2:2f:6f:2b:b1:34:01:8c:f2: + 92:44:7b:a5:a4:9a:31:96:12:24:02:bd:43:69:2a:a9:71:ff: + bc:90:b0:d0:c4:fe:0c:6d +-----BEGIN CERTIFICATE----- +MIIFXzCCA0egAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +ETAPBgNVBAgMCE1hcnlsYW5kMRIwEAYDVQQHDAlCYWx0aW1vcmUxGTAXBgNVBAoM +EFRlc3QgQ0EsIExpbWl0ZWQxIzAhBgNVBAsMGlNlcnZlciBSZXNlYXJjaCBEZXBh +cnRtZW50MRAwDgYDVQQDDAdUZXN0IENBMR8wHQYJKoZIhvcNAQkBFhB0ZXN0QGV4 +YW1wbGUuY29tMB4XDTIzMDMxMzE3NTg0OVoXDTI0MDMxMjE3NTg0OVowYzELMAkG +A1UEBhMCVVMxCzAJBgNVBAgMAk1EMRIwEAYDVQQHDAlCYWx0aW1vcmUxHTAbBgNV +BAoMFFRlc3QgU2VydmVyLCBMaW1pdGVkMRQwEgYDVQQDDAtUZXN0IFNlcnZlcjCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIPBbt6eGIVRNuu/MFKhJTc +BC5HZPMW8dvWhyVyrD110WZManu2QGuDQcENNQgRI6DhYBdBD5goqgYovAY7cElN +kwmEDnuD7i5Rk1/D1oxKyXuICC5YGtQBLOk1nTdXKFT/EJVH1uRNTV/q605ZFdff +gx1495eWaYRh/+25uau1UarxKYcHTvJA1t0H6Bs4+wGQpZHdIKUjfCqt0AYStNKP +FJuVeThUJ2IfeifXORH+7EMEHlj+G5gKePEu/J+qOurEtMHinJcjWSncruRC2Att +0/Xue3BIInnEEs+xnjJHwOB3yVJZDVR/DDbo7n4aE/HNa0pWYwqyG7JVZAxFH4EC +AwEAAaOB2DCB1TAdBgNVHQ4EFgQUMuOhgSCdijfT9ASkGCA+lymj1pswHwYDVR0j +BBgwFoAUkKr4QraEAQkYOXahWb8ZKQSUbCswCQYDVR0TBAIwADALBgNVHQ8EBAMC +BaAwTQYDVR0RBEYwRIILZXhhbXBsZS5jb22CEndlYmFwcC5leGFtcGxlLmNvbYIQ +bWFpbC5leGFtcGxlLmNvbYIPZnRwLmV4YW1wbGUuY29tMCwGCWCGSAGG+EIBDQQf +Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOC +AgEAUDcX8+5EMlXXKV550vfCEvLdX2Ne+y2XD2kK+WJ/LrDn1QA+9HgDDfqs3sHL +acDzyBWwcR5597gKuXbpVNpeIAR6S/GZ4forPGNKZ6jve5kNlfxlxLP/JSWX/DNF +pweULwmaJIIkJwlmMf7NBHxN4S6CsKjpN+R7bEwGGQQPgi2LkUxO/YesVncC2j82 +CA1XePAULzGgdDDNaljenvqnzqj1f/QscDynhj0uScgGopGIXpjS1hOXEy9T4EIW +4eAeCeg5108LFNDGMygI9wF8aaMhz48tvwhkGv2INPl6/bJxup4yN0S7buOgNWro +v8sgNVOVTUau9qWr1qET4qtVjuuiJdDg/9PV1X8V0nKxqScF9fogTHTy5K+Pz6DE +A4b38pAfd4eSHoAsj+kmoznXBJ7lLQS7BUOkUyuw7PHQXkqBZIQ//woydNc5p1SD +rGFUd1/8olyjmJ8M/oKqQD6yk/LPTtgh0eAWrM08V4jkQ3caG7jUK/qmk2DRtX/O +4G0tIc/iLhc72XpieJ+PJh4+5MYTIhKczJ2tNG+su5E14V4i+/7bXzKWO+Hi4eFv +tikgpN+bIRNciFz29iKPpzX0PAzgEIg1ck//OEQ+T39L5lTAQSwcqiiSqXgRyTGZ +si9vK7E0AYzykkR7paSaMZYSJAK9Q2kqqXH/vJCw0MT+DG0= +-----END CERTIFICATE----- diff --git a/tests/data/ingress-mtls/client-auth/revoked/client-key.pem b/tests/data/ingress-mtls/client-auth/revoked/client-key.pem new file mode 100644 index 0000000000..29aa3cb919 --- /dev/null +++ b/tests/data/ingress-mtls/client-auth/revoked/client-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCyDwW7enhiFUTb +rvzBSoSU3AQuR2TzFvHb1oclcqw9ddFmTGp7tkBrg0HBDTUIESOg4WAXQQ+YKKoG +KLwGO3BJTZMJhA57g+4uUZNfw9aMSsl7iAguWBrUASzpNZ03VyhU/xCVR9bkTU1f +6utOWRXX34MdePeXlmmEYf/tubmrtVGq8SmHB07yQNbdB+gbOPsBkKWR3SClI3wq +rdAGErTSjxSblXk4VCdiH3on1zkR/uxDBB5Y/huYCnjxLvyfqjrqxLTB4pyXI1kp +3K7kQtgLbdP17ntwSCJ5xBLPsZ4yR8Dgd8lSWQ1Ufww26O5+GhPxzWtKVmMKshuy +VWQMRR+BAgMBAAECggEBAKR2la/d5hWKWaikD1elsaIhOkdYsFiL5+dLVlbzfT3j +df+MM4qDAyuK+BANV99UnVj68ptn/7RmUu0PcOQ8wHEkktxmOk5BxJzJwlrg82lv +pnxQYGYWAOmzED1zxPwZp+oiEboguc7zy7T9skwSosda7qspUV+VkW6yaga01ldO +v1TKrmWjgF/ENIAdbSQnlw+Be1Kn9Giw7IXz/euGzEA+UXEH1wVuwSuTsb6u+z7+ +sAE0N9bSCQbWeA+8xsL0d09g5l3y82Gu3ZOcCYguCWn9pruu5WKkwGix/kKAvMPd +6rXtNr9XzgTtiKW2G7IdSm+L/gbXf40UKCeYfq2vTMECgYEA2p924rQiQoT0SG5M +w0olh4GqOQzQjc4Z6ZvvC5CxJa+SN3X+94PdC+hbFQMyk2Xb3DLTtylwZwkPgfK7 +XZJAieuKNG5q6iUUExof8s2PHdwiEIrZ3q2f5n+Xqjv/2E7EfYhA2tAG2FQBw7av +BWmhaBOZZNffHx4rtg2/fMIziskCgYEA0IArzPttRIquLO79zlZv//XSbNuDCNq+ +sgXJsz5wFkb/AU7xbYXEvQNbcttD5fwCC9Jo0sLbl9+CO6K0zndIe7/C9VvH118Q +1DH6R7p1c4iHlt8s0K/r80xdQk5D7N634h9c9gr/vx3vK56MxPvR7JUTecIoIyIf +IC5XacTZEvkCgYBUkwYB05/BTf/WmVz225NDJaU9ZrizcvzRQ7KpLbNqGc6dx/b3 +t7pmpd++dDs3jFsOh1ch71T9dyLZqZZUL4TqFgWkHOcdZ3Spoxyi6GSqL4O6FI0O +OOq317pLb+ScwHQBABnezEUpoO4B0YVJucBoK9TWjzBQsHJGfnEKiXI5CQKBgQDD +B9Fw6ZL5NVvdjiR9eR9E5zXRO7gjdTJBpeZZM0N3oytvlt+AmktAnr5Q/sdRftyP +IF+LHlh4hMr2a6kDJFL55pNAHX0eeb9tLd62b7TjwEdMmi/6eUSVjc4CcuFY1bBd +5QZ45Cr8I80QGTwGGqPv0DaqgzI2QvmoiZCc0FRZSQKBgQDVzkBadKdbl3C0o+SH +oPqzbhO4ZnuEpCh39IXa7GsWpdHh5YrvO/W/6xOD3cAnkjNAYspW6k59QCVWy+QH +816ZeJH0/tWudGyNyTjbv05K5/UvKrWKFtUgEgdDLYS+/az4FOHmZ1I78wXYQ3cZ +k8y6CD0kDPyOEUiADfrwGdjfiw== +-----END PRIVATE KEY----- diff --git a/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml b/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml new file mode 100644 index 0000000000..c6d9c05630 --- /dev/null +++ b/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml @@ -0,0 +1,10 @@ +apiVersion: k8s.nginx.org/v1 +kind: Policy +metadata: + name: ingress-mtls-policy +spec: + ingressMTLS: + clientCertSecret: ingress-mtls-secret + verifyClient: "on" + verifyDepth: 1 + crl: webapp.crl \ No newline at end of file diff --git a/tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml b/tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml new file mode 100644 index 0000000000..3e991122ee --- /dev/null +++ b/tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml @@ -0,0 +1,8 @@ +kind: Secret +metadata: + name: ingress-mtls-secret +apiVersion: v1 +type: nginx.org/ca +data: + ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lKQU51ZlJyMkJoLzliTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUduTVFzd0NRWUQKVlFRR0V3SlZVekVSTUE4R0ExVUVDQXdJVFdGeWVXeGhibVF4RWpBUUJnTlZCQWNNQ1VKaGJIUnBiVzl5WlRFWgpNQmNHQTFVRUNnd1FWR1Z6ZENCRFFTd2dUR2x0YVhSbFpERWpNQ0VHQTFVRUN3d2FVMlZ5ZG1WeUlGSmxjMlZoCmNtTm9JRVJsY0dGeWRHMWxiblF4RURBT0JnTlZCQU1NQjFSbGMzUWdRMEV4SHpBZEJna3Foa2lHOXcwQkNRRVcKRUhSbGMzUkFaWGhoYlhCc1pTNWpiMjB3SGhjTk1qTXdNekV6TVRjMU5UQTJXaGNOTWpRd016RXlNVGMxTlRBMgpXakNCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ01DRTFoY25sc1lXNWtNUkl3RUFZRFZRUUhEQWxDCllXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFc0lFeHBiV2wwWldReEl6QWhCZ05WQkFzTUdsTmwKY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3RGdZRFZRUUREQWRVWlhOMElFTkJNUjh3SFFZSgpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXRNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFnOEFNSUlDQ2dLQ0FnRUEyeU5QNHRoWjBzY1V0cDZ5SVArUGdXU3lucEIybWE3WkRlNzBobDY3OFdvRkZITXkKbUNyczJPNzhwV2wxZVFNcTBoZDA4UUNJTGErY1V4bmMwS3BQWkw4Um1BUUo3SnZHN3BuN1Mwb2tnMVBiTU82Zwo1ZWVldDBJdEh4Tkt1YWVGTTVKS0pLdFhmN0p6TWkwMTdDZTBXZ3V5ZHZWVUxENXFkM2ZLdW5UNlRTOUZ5blpLCjlmSE5MdGdBaFZnMHg2bWJGUlFBYXBUejFMaGhUaEt4eDRNbHI1WGpBS01la1d5T0d4am9WbUZubFNocXdqTWsKMVAyaCtiWlRrZnRxQWh4VzVwaGlGRmRrTW15dnIvYUQyRW9aU2xGa1RtSmtnQnhJaysvRzhZQWtjZXFOelo5eQpMLzRvWWU1VTdrV0lYZTlPT0k5djFpZW02ODE5bVNOU3dpVFZhOFRQcWR0elcwUHplYW1QZG9TckVWV0JlL3hZCk9ZWDhaaWF1NlVCU3U2bGQ1VUxBTGJYUlp6RHUxYzVvelZzdkN0cE1HV1oxZWtDVDhVNEdwRzhQUyszcUJkUGwKWUhxeWR0TnhGeFZ5OE1odU1IWnhacVY4dXpMTlRlakpram03V3dERHpBd1RIbm1uMVREdHZrVlBCQWZGenhuTgoreGRKdmZvQ21EUEsraHZmMUVRRGF4RU5sSHVYYnZpclNqL2FDaXJqTTdhb0UxR2VRSXo2MEk5QWpuTHc1a29tCmFCcjZadU1ET1ZFSmhBMnRnZXJOOGYzMFJHOGtBTWZTRUYwdUExWTVteEw2b0hueWw5SStmNlBmc2diSlIzMnQKM2s1S2RNQ2xSTTc1YmpaUDNIeVpWdGZVQ09iRnJPMlRVT2NUd29zUUlScXh5dVFJd0JYWHVFdTNBdEVDQXdFQQpBYU5nTUY0d0hRWURWUjBPQkJZRUZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQjhHQTFVZEl3UVlNQmFBCkZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdDd1lEVlIwUEJBUUQKQWdFR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQzhLRWg5ZVZFSmFneFU2dS9BcTJPR3dhQVlwc2hDdU1vTwpTRVhiRkhDWWI1VEIyUnUzOXJPQ21TTmljZVlUMnJTenZLenF2bzM4aW9Pc3ZsdUFxTUF5VzRJVG53R1FPZ2ZPCitpUG1FS1V0RERjQ2VOQWY0OTZacjR4R25XS2l3RE9SVEI5N001SndaTnRpTGRReTU3S05wUC9nM3BXVHo4Y3QKODA3VEJ0T25kVFhhWkhBV0RaU0lCMXFaUEZWMHhvRUtPdS9TWXh5c2U4ZDBaNGhtZDE0TWVrQzFCZ2w4Y1NRagowajhrdUhXb2pIaUdVcW1ZRTdYd0hMMzRkeGxzb3RIVWhiNHhkREdGYTJlKzBZUVpzSlhFQW9pclcxbkRVektyCk5uOUlpUlR4eHUraXBYR0ZqLzVFbFFGTjRlUmE4dFZrYzJjODlUZUtBYjVkZ2ZCM0tNTUlKM0NwMExKQ2hva2wKdWhLbXptL0xuZ3FYL0dSQXFSWDRIaE82ZmZKbldDb2NsUGVFeFA0MnQ3a21EMXRlZzkrRGhVbGxnRk1RS3JnYwpaUUlMZW9CNWw2NlBPeVFVdWZjUzRJN2VzaHNlWXI4bWtSelRJTDM3cmxURWR1bWtpYmNXYVE5TjhGdFBHbUVxCnhuVFZBeEQ5TlE0WWJkUjNub1RIbkREYm1XUWJIbmc4ZWtzeGpUTHcrdDVsWGxtQ09Mb2VWZ3VxZnVnSzhMTUsKTSs4MWNUNHp6bkhkU0pxcVBSYitBUlFDZ3ArZzYwRGtpTUx1NzdCbzZQQ2o5NzRtYnZwQnpPaVlIdThkak52Sgp0L1dMcWdPU25reithUGRwVGE5M0Q5YUlBS3V6WURPbmp3OW9TUytnZUd0TmRoWUdPeWxLdDE4ZndZMGsrUTJ2CkNMT1pYZEYrWmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURCRENCN1RBTkJna3Foa2lHOXcwQkFRc0ZBRENCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ00KQ0UxaGNubHNZVzVrTVJJd0VBWURWUVFIREFsQ1lXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFcwpJRXhwYldsMFpXUXhJekFoQmdOVkJBc01HbE5sY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3CkRnWURWUVFEREFkVVpYTjBJRU5CTVI4d0hRWUpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXQKRncweU16QXpNVE14T0RBeU1qSmFGdzB5TXpBME1USXhPREF5TWpKYU1CUXdFZ0lCQWhjTk1qTXdNekV6TVRndwpNakV5V2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzQ1B6SVpqUmt1S1BlajRUdTc5a3pFTlcvRTY5NzZjClhrN2g1dEtoTHdONTROVXR0M0pSTHBWUEFwUFhnTzdhdVo5a0liWC9EaStyeks4V3BQZWhUSXg0b1RscktjbFoKT1hsM3RQWUJndmcyRzVxaFR3MlAvTjRDMzVPMWdtWllLWXFYeEd6SjlBVnU5WmNXUlJjelVCOXlaZlR1cERoOAo2SnROd2JCVVpOR2lSMkZFeUovWFNQQjFVeXJBa2IyVk1ON0E1WEZIaSt5WXFrS2xrcFNLaGNPY3lGcXpFMC9xCkQ5V1Y3enJtVDIwdU1Ya2VCVW05WEhqWHRXRTIwb01PRFBHRERBNUg2RlppL05IMXBTa0tUY3g4UjdYNGZlaFYKOUJUTVl5VENWcFVJSUhuZG91NHYxUkl2UHJpRS9PUGx4UDBjRFZCNmV1V0RXb2dJdnIyWTRpenlHdHN0WlpvTgpNZDBRY1hXTVhTUjB3U2hCdEQ1TGI5cjBLOExPS255dVFUVVNHaXZuY2JGajZNUTROU3FNMTRJdzNkOHowemowCjg5b3hBUVhNa29qdm02SWV5WS9hSlVacUlPdk56MXhkaG5kNXNtWkNoQUdTVUx4Z1hsZWFHRjg3Vyt2MThuSlQKOC83c1Vic09RR1ErdVA5dGNXcGYzcmx4MVVENWRnVW9KbHdrUk16Z09vQXYwN3JkcWRsZGQ4QVdWYndMcnlGdgo0RHVMTU5VREQrbE9iV3E0VDdBNE5zb1NadlBuaitOcDgzL3VCWEUvRmZvemJpYzJSOFZJb1NLR2NhWDh0aGZhCmpvUEw1Smt4akZGemZGcnAwMi9XRlNNd3Ezc2xrQkJqSGFkd2pNcTZiQnJ5MTQyYWlOUW44cDRsa3ZXV0RvUSsKaWdrSDNFRGdDVmM9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K \ No newline at end of file From 0667cdbb63ae749b5e308b14cf9cc19abfc38150 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 17:08:03 +0000 Subject: [PATCH 20/32] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- .../client-auth/not-revoked/client-cert.pem | 12 ++++++------ .../ingress-mtls/client-auth/revoked/client-cert.pem | 12 ++++++------ .../data/ingress-mtls/policies/ingress-mtls-crl.yaml | 2 +- .../ingress-mtls/secret/ingress-mtls-secret-crl.yaml | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem b/tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem index 5c30524153..0544bf1b10 100644 --- a/tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem +++ b/tests/data/ingress-mtls/client-auth/not-revoked/client-cert.pem @@ -32,18 +32,18 @@ Certificate: 00:ff Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: 60:B1:14:DA:79:DA:4E:5C:A7:8F:C9:E1:4F:53:E4:0A:03:71:0F:22 - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:90:AA:F8:42:B6:84:01:09:18:39:76:A1:59:BF:19:29:04:94:6C:2B - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:example.com, DNS:webapp.example.com, DNS:mail.example.com, DNS:ftp.example.com - Netscape Comment: + Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 44:6a:06:f7:ba:cb:1d:fa:c9:bf:ab:62:7c:f0:e3:2c:a3:11: diff --git a/tests/data/ingress-mtls/client-auth/revoked/client-cert.pem b/tests/data/ingress-mtls/client-auth/revoked/client-cert.pem index 20d95b711f..52161ec1cd 100644 --- a/tests/data/ingress-mtls/client-auth/revoked/client-cert.pem +++ b/tests/data/ingress-mtls/client-auth/revoked/client-cert.pem @@ -32,18 +32,18 @@ Certificate: 1f:81 Exponent: 65537 (0x10001) X509v3 extensions: - X509v3 Subject Key Identifier: + X509v3 Subject Key Identifier: 32:E3:A1:81:20:9D:8A:37:D3:F4:04:A4:18:20:3E:97:29:A3:D6:9B - X509v3 Authority Key Identifier: + X509v3 Authority Key Identifier: keyid:90:AA:F8:42:B6:84:01:09:18:39:76:A1:59:BF:19:29:04:94:6C:2B - X509v3 Basic Constraints: + X509v3 Basic Constraints: CA:FALSE - X509v3 Key Usage: + X509v3 Key Usage: Digital Signature, Key Encipherment - X509v3 Subject Alternative Name: + X509v3 Subject Alternative Name: DNS:example.com, DNS:webapp.example.com, DNS:mail.example.com, DNS:ftp.example.com - Netscape Comment: + Netscape Comment: OpenSSL Generated Certificate Signature Algorithm: sha256WithRSAEncryption 50:37:17:f3:ee:44:32:55:d7:29:5e:79:d2:f7:c2:12:f2:dd: diff --git a/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml b/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml index c6d9c05630..25210e25d2 100644 --- a/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml +++ b/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml @@ -7,4 +7,4 @@ spec: clientCertSecret: ingress-mtls-secret verifyClient: "on" verifyDepth: 1 - crl: webapp.crl \ No newline at end of file + crl: webapp.crl diff --git a/tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml b/tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml index 3e991122ee..0df25da297 100644 --- a/tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml +++ b/tests/data/ingress-mtls/secret/ingress-mtls-secret-crl.yaml @@ -5,4 +5,4 @@ apiVersion: v1 type: nginx.org/ca data: ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdNekNDQkJ1Z0F3SUJBZ0lKQU51ZlJyMkJoLzliTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUduTVFzd0NRWUQKVlFRR0V3SlZVekVSTUE4R0ExVUVDQXdJVFdGeWVXeGhibVF4RWpBUUJnTlZCQWNNQ1VKaGJIUnBiVzl5WlRFWgpNQmNHQTFVRUNnd1FWR1Z6ZENCRFFTd2dUR2x0YVhSbFpERWpNQ0VHQTFVRUN3d2FVMlZ5ZG1WeUlGSmxjMlZoCmNtTm9JRVJsY0dGeWRHMWxiblF4RURBT0JnTlZCQU1NQjFSbGMzUWdRMEV4SHpBZEJna3Foa2lHOXcwQkNRRVcKRUhSbGMzUkFaWGhoYlhCc1pTNWpiMjB3SGhjTk1qTXdNekV6TVRjMU5UQTJXaGNOTWpRd016RXlNVGMxTlRBMgpXakNCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ01DRTFoY25sc1lXNWtNUkl3RUFZRFZRUUhEQWxDCllXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFc0lFeHBiV2wwWldReEl6QWhCZ05WQkFzTUdsTmwKY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3RGdZRFZRUUREQWRVWlhOMElFTkJNUjh3SFFZSgpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXRNSUlDSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DCkFnOEFNSUlDQ2dLQ0FnRUEyeU5QNHRoWjBzY1V0cDZ5SVArUGdXU3lucEIybWE3WkRlNzBobDY3OFdvRkZITXkKbUNyczJPNzhwV2wxZVFNcTBoZDA4UUNJTGErY1V4bmMwS3BQWkw4Um1BUUo3SnZHN3BuN1Mwb2tnMVBiTU82Zwo1ZWVldDBJdEh4Tkt1YWVGTTVKS0pLdFhmN0p6TWkwMTdDZTBXZ3V5ZHZWVUxENXFkM2ZLdW5UNlRTOUZ5blpLCjlmSE5MdGdBaFZnMHg2bWJGUlFBYXBUejFMaGhUaEt4eDRNbHI1WGpBS01la1d5T0d4am9WbUZubFNocXdqTWsKMVAyaCtiWlRrZnRxQWh4VzVwaGlGRmRrTW15dnIvYUQyRW9aU2xGa1RtSmtnQnhJaysvRzhZQWtjZXFOelo5eQpMLzRvWWU1VTdrV0lYZTlPT0k5djFpZW02ODE5bVNOU3dpVFZhOFRQcWR0elcwUHplYW1QZG9TckVWV0JlL3hZCk9ZWDhaaWF1NlVCU3U2bGQ1VUxBTGJYUlp6RHUxYzVvelZzdkN0cE1HV1oxZWtDVDhVNEdwRzhQUyszcUJkUGwKWUhxeWR0TnhGeFZ5OE1odU1IWnhacVY4dXpMTlRlakpram03V3dERHpBd1RIbm1uMVREdHZrVlBCQWZGenhuTgoreGRKdmZvQ21EUEsraHZmMUVRRGF4RU5sSHVYYnZpclNqL2FDaXJqTTdhb0UxR2VRSXo2MEk5QWpuTHc1a29tCmFCcjZadU1ET1ZFSmhBMnRnZXJOOGYzMFJHOGtBTWZTRUYwdUExWTVteEw2b0hueWw5SStmNlBmc2diSlIzMnQKM2s1S2RNQ2xSTTc1YmpaUDNIeVpWdGZVQ09iRnJPMlRVT2NUd29zUUlScXh5dVFJd0JYWHVFdTNBdEVDQXdFQQpBYU5nTUY0d0hRWURWUjBPQkJZRUZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQjhHQTFVZEl3UVlNQmFBCkZKQ3ErRUsyaEFFSkdEbDJvVm0vR1NrRWxHd3JNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdDd1lEVlIwUEJBUUQKQWdFR01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQzhLRWg5ZVZFSmFneFU2dS9BcTJPR3dhQVlwc2hDdU1vTwpTRVhiRkhDWWI1VEIyUnUzOXJPQ21TTmljZVlUMnJTenZLenF2bzM4aW9Pc3ZsdUFxTUF5VzRJVG53R1FPZ2ZPCitpUG1FS1V0RERjQ2VOQWY0OTZacjR4R25XS2l3RE9SVEI5N001SndaTnRpTGRReTU3S05wUC9nM3BXVHo4Y3QKODA3VEJ0T25kVFhhWkhBV0RaU0lCMXFaUEZWMHhvRUtPdS9TWXh5c2U4ZDBaNGhtZDE0TWVrQzFCZ2w4Y1NRagowajhrdUhXb2pIaUdVcW1ZRTdYd0hMMzRkeGxzb3RIVWhiNHhkREdGYTJlKzBZUVpzSlhFQW9pclcxbkRVektyCk5uOUlpUlR4eHUraXBYR0ZqLzVFbFFGTjRlUmE4dFZrYzJjODlUZUtBYjVkZ2ZCM0tNTUlKM0NwMExKQ2hva2wKdWhLbXptL0xuZ3FYL0dSQXFSWDRIaE82ZmZKbldDb2NsUGVFeFA0MnQ3a21EMXRlZzkrRGhVbGxnRk1RS3JnYwpaUUlMZW9CNWw2NlBPeVFVdWZjUzRJN2VzaHNlWXI4bWtSelRJTDM3cmxURWR1bWtpYmNXYVE5TjhGdFBHbUVxCnhuVFZBeEQ5TlE0WWJkUjNub1RIbkREYm1XUWJIbmc4ZWtzeGpUTHcrdDVsWGxtQ09Mb2VWZ3VxZnVnSzhMTUsKTSs4MWNUNHp6bkhkU0pxcVBSYitBUlFDZ3ArZzYwRGtpTUx1NzdCbzZQQ2o5NzRtYnZwQnpPaVlIdThkak52Sgp0L1dMcWdPU25reithUGRwVGE5M0Q5YUlBS3V6WURPbmp3OW9TUytnZUd0TmRoWUdPeWxLdDE4ZndZMGsrUTJ2CkNMT1pYZEYrWmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURCRENCN1RBTkJna3Foa2lHOXcwQkFRc0ZBRENCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ00KQ0UxaGNubHNZVzVrTVJJd0VBWURWUVFIREFsQ1lXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFcwpJRXhwYldsMFpXUXhJekFoQmdOVkJBc01HbE5sY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3CkRnWURWUVFEREFkVVpYTjBJRU5CTVI4d0hRWUpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXQKRncweU16QXpNVE14T0RBeU1qSmFGdzB5TXpBME1USXhPREF5TWpKYU1CUXdFZ0lCQWhjTk1qTXdNekV6TVRndwpNakV5V2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzQ1B6SVpqUmt1S1BlajRUdTc5a3pFTlcvRTY5NzZjClhrN2g1dEtoTHdONTROVXR0M0pSTHBWUEFwUFhnTzdhdVo5a0liWC9EaStyeks4V3BQZWhUSXg0b1RscktjbFoKT1hsM3RQWUJndmcyRzVxaFR3MlAvTjRDMzVPMWdtWllLWXFYeEd6SjlBVnU5WmNXUlJjelVCOXlaZlR1cERoOAo2SnROd2JCVVpOR2lSMkZFeUovWFNQQjFVeXJBa2IyVk1ON0E1WEZIaSt5WXFrS2xrcFNLaGNPY3lGcXpFMC9xCkQ5V1Y3enJtVDIwdU1Ya2VCVW05WEhqWHRXRTIwb01PRFBHRERBNUg2RlppL05IMXBTa0tUY3g4UjdYNGZlaFYKOUJUTVl5VENWcFVJSUhuZG91NHYxUkl2UHJpRS9PUGx4UDBjRFZCNmV1V0RXb2dJdnIyWTRpenlHdHN0WlpvTgpNZDBRY1hXTVhTUjB3U2hCdEQ1TGI5cjBLOExPS255dVFUVVNHaXZuY2JGajZNUTROU3FNMTRJdzNkOHowemowCjg5b3hBUVhNa29qdm02SWV5WS9hSlVacUlPdk56MXhkaG5kNXNtWkNoQUdTVUx4Z1hsZWFHRjg3Vyt2MThuSlQKOC83c1Vic09RR1ErdVA5dGNXcGYzcmx4MVVENWRnVW9KbHdrUk16Z09vQXYwN3JkcWRsZGQ4QVdWYndMcnlGdgo0RHVMTU5VREQrbE9iV3E0VDdBNE5zb1NadlBuaitOcDgzL3VCWEUvRmZvemJpYzJSOFZJb1NLR2NhWDh0aGZhCmpvUEw1Smt4akZGemZGcnAwMi9XRlNNd3Ezc2xrQkJqSGFkd2pNcTZiQnJ5MTQyYWlOUW44cDRsa3ZXV0RvUSsKaWdrSDNFRGdDVmM9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K \ No newline at end of file + ca.crl: LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSURCRENCN1RBTkJna3Foa2lHOXcwQkFRc0ZBRENCcHpFTE1Ba0dBMVVFQmhNQ1ZWTXhFVEFQQmdOVkJBZ00KQ0UxaGNubHNZVzVrTVJJd0VBWURWUVFIREFsQ1lXeDBhVzF2Y21VeEdUQVhCZ05WQkFvTUVGUmxjM1FnUTBFcwpJRXhwYldsMFpXUXhJekFoQmdOVkJBc01HbE5sY25abGNpQlNaWE5sWVhKamFDQkVaWEJoY25SdFpXNTBNUkF3CkRnWURWUVFEREFkVVpYTjBJRU5CTVI4d0hRWUpLb1pJaHZjTkFRa0JGaEIwWlhOMFFHVjRZVzF3YkdVdVkyOXQKRncweU16QXpNVE14T0RBeU1qSmFGdzB5TXpBME1USXhPREF5TWpKYU1CUXdFZ0lCQWhjTk1qTXdNekV6TVRndwpNakV5V2pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVJzQ1B6SVpqUmt1S1BlajRUdTc5a3pFTlcvRTY5NzZjClhrN2g1dEtoTHdONTROVXR0M0pSTHBWUEFwUFhnTzdhdVo5a0liWC9EaStyeks4V3BQZWhUSXg0b1RscktjbFoKT1hsM3RQWUJndmcyRzVxaFR3MlAvTjRDMzVPMWdtWllLWXFYeEd6SjlBVnU5WmNXUlJjelVCOXlaZlR1cERoOAo2SnROd2JCVVpOR2lSMkZFeUovWFNQQjFVeXJBa2IyVk1ON0E1WEZIaSt5WXFrS2xrcFNLaGNPY3lGcXpFMC9xCkQ5V1Y3enJtVDIwdU1Ya2VCVW05WEhqWHRXRTIwb01PRFBHRERBNUg2RlppL05IMXBTa0tUY3g4UjdYNGZlaFYKOUJUTVl5VENWcFVJSUhuZG91NHYxUkl2UHJpRS9PUGx4UDBjRFZCNmV1V0RXb2dJdnIyWTRpenlHdHN0WlpvTgpNZDBRY1hXTVhTUjB3U2hCdEQ1TGI5cjBLOExPS255dVFUVVNHaXZuY2JGajZNUTROU3FNMTRJdzNkOHowemowCjg5b3hBUVhNa29qdm02SWV5WS9hSlVacUlPdk56MXhkaG5kNXNtWkNoQUdTVUx4Z1hsZWFHRjg3Vyt2MThuSlQKOC83c1Vic09RR1ErdVA5dGNXcGYzcmx4MVVENWRnVW9KbHdrUk16Z09vQXYwN3JkcWRsZGQ4QVdWYndMcnlGdgo0RHVMTU5VREQrbE9iV3E0VDdBNE5zb1NadlBuaitOcDgzL3VCWEUvRmZvemJpYzJSOFZJb1NLR2NhWDh0aGZhCmpvUEw1Smt4akZGemZGcnAwMi9XRlNNd3Ezc2xrQkJqSGFkd2pNcTZiQnJ5MTQyYWlOUW44cDRsa3ZXV0RvUSsKaWdrSDNFRGdDVmM9Ci0tLS0tRU5EIFg1MDkgQ1JMLS0tLS0K From 8aa6af89f4beafd01bacef4426cfc9e2ec1c12cb Mon Sep 17 00:00:00 2001 From: Venktesh Date: Tue, 14 Mar 2023 18:21:15 +0000 Subject: [PATCH 21/32] replace patch with delete and create --- tests/suite/test_ingress_mtls.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/suite/test_ingress_mtls.py b/tests/suite/test_ingress_mtls.py index 7b11344ea1..84af0a8a2d 100644 --- a/tests/suite/test_ingress_mtls.py +++ b/tests/suite/test_ingress_mtls.py @@ -11,6 +11,7 @@ patch_virtual_server_from_yaml, read_vs, read_vsr, + delete_and_create_vs_from_yaml, ) std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml" @@ -290,7 +291,8 @@ def test_ingress_mtls_polciy_crl( ) print(f"Patch vs with policy: {policy_src}") - patch_virtual_server_from_yaml( + + delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, vs_src, @@ -310,7 +312,7 @@ def test_ingress_mtls_polciy_crl( vs_res = read_vs(kube_apis.custom_objects, test_namespace, virtual_server_setup.vs_name) teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret) - patch_virtual_server_from_yaml( + delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, std_vs_src, From 7a83d31b75f527bc8f484a6f924e6b922d55aa71 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 14 Mar 2023 18:21:38 +0000 Subject: [PATCH 22/32] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- tests/suite/test_ingress_mtls.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suite/test_ingress_mtls.py b/tests/suite/test_ingress_mtls.py index 84af0a8a2d..f3d7d24bd2 100644 --- a/tests/suite/test_ingress_mtls.py +++ b/tests/suite/test_ingress_mtls.py @@ -7,11 +7,11 @@ from suite.utils.resources_utils import create_secret_from_yaml, delete_secret, wait_before_test from suite.utils.ssl_utils import create_sni_session from suite.utils.vs_vsr_resources_utils import ( + delete_and_create_vs_from_yaml, patch_v_s_route_from_yaml, patch_virtual_server_from_yaml, read_vs, read_vsr, - delete_and_create_vs_from_yaml, ) std_vs_src = f"{TEST_DATA}/virtual-server/standard/virtual-server.yaml" From 5b3877a83f16f71cfd34b35a629fd65be7e27922 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Wed, 15 Mar 2023 11:38:17 +0000 Subject: [PATCH 23/32] Update tests marks and remove debug prints --- tests/suite/test_ingress_mtls.py | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/tests/suite/test_ingress_mtls.py b/tests/suite/test_ingress_mtls.py index f3d7d24bd2..2b4d092672 100644 --- a/tests/suite/test_ingress_mtls.py +++ b/tests/suite/test_ingress_mtls.py @@ -62,7 +62,7 @@ def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret delete_secret(kube_apis.v1, mtls_secret, test_namespace) -@pytest.mark.smoke +@pytest.mark.policy @pytest.mark.parametrize( "crd_ingress_controller, virtual_server_setup", [ @@ -234,7 +234,7 @@ def test_ingress_mtls_policy_cert( ) assert resp.status_code == expected_code and expected_text in resp.text and exception in ssl_exception - @pytest.mark.sslcrl + @pytest.mark.smoke @pytest.mark.parametrize( "policy_src, vs_src, mtls_secret_in, expected_code, expected_text, vs_message, vs_state", [ @@ -290,8 +290,6 @@ def test_ingress_mtls_polciy_crl( policy_src, ) - print(f"Patch vs with policy: {policy_src}") - delete_and_create_vs_from_yaml( kube_apis.custom_objects, virtual_server_setup.vs_name, @@ -306,9 +304,6 @@ def test_ingress_mtls_polciy_crl( allow_redirects=False, verify=False, ) - print("--------------------------") - print(f"RESPONSE Text: {resp.text}") - print("--------------------------") vs_res = read_vs(kube_apis.custom_objects, test_namespace, virtual_server_setup.vs_name) teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret) @@ -325,7 +320,6 @@ def test_ingress_mtls_polciy_crl( and vs_res["status"]["state"] == vs_state ) - # @pytest.mark.sslcrl @pytest.mark.parametrize( "certificate, expected_code, expected_text, exception", [ From 72163db1824c459027d3cf424ffa0f3397641c78 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 Mar 2023 10:59:14 +0000 Subject: [PATCH 24/32] Update warning message --- internal/configs/configurator.go | 2 +- internal/configs/virtualserver.go | 2 +- internal/configs/virtualserver_test.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/configs/configurator.go b/internal/configs/configurator.go index 2b5f670dc9..e0e7ab37e5 100644 --- a/internal/configs/configurator.go +++ b/internal/configs/configurator.go @@ -62,7 +62,7 @@ const HtpasswdFileKey = "htpasswd" // CACrtKey is the key of the data field of a Secret where the cert must be stored. const CACrtKey = "ca.crt" -// CACrlKey is the key of the data field of a Secret where the cert revocation list much be stored. +// CACrlKey is the key of the data field of a Secret where the cert revocation list must be stored. const CACrlKey = "ca.crl" // ClientSecretKey is the key of the data field of a Secret where the OIDC client secret must be stored. diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index b883ee87bb..f7a387ead0 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -910,7 +910,7 @@ func (p *policiesCfg) addIngressMTLSConfig( caFields := strings.Fields(secretRef.Path) if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey && ingressMTLS.Crl != "" { - res.addWarningf("Both ca.crl and ingressMTLS.crl fields cannot be used. ca.crl will be ignored and %s will be applied", polKey) + res.addWarningf("Both ca.crl in the Secret and ingressMTLS.crl fields cannot be used. ca.crl in %s will be ignored and %s will be applied", secretKey, polKey) } if ingressMTLS.Crl != "" { diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 96d55c293f..38ab2b701e 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -4075,7 +4075,7 @@ func TestGeneratePoliciesFails(t *testing.T) { }, expectedWarnings: Warnings{ nil: { - `Both ca.crl and ingressMTLS.crl fields cannot be used. ca.crl will be ignored and default/ingress-mtls-policy will be applied`, + `Both ca.crl in the Secret and ingressMTLS.crl fields cannot be used. ca.crl in default/ingress-mtls-secret will be ignored and default/ingress-mtls-policy will be applied`, }, }, expectedOidc: &oidcPolicyCfg{}, From 0d585c0fa727174ae7ae2c2c0c2d1fc442d8de0e Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 Mar 2023 12:32:32 +0000 Subject: [PATCH 25/32] Update documentation --- docs/content/configuration/policy-resource.md | 78 +++++++++++++------ 1 file changed, 56 insertions(+), 22 deletions(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index c29581e290..d63ae7f94e 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -272,6 +272,29 @@ type: nginx.org/ca data: ca.crt: ``` + +A VirtualServer that references an IngressMTLS policy must: +* Enable [TLS termination](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualservertls). +* Reference the policy in the VirtualServer [`spec`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserver-specification). It is not allowed to reference an IngressMTLS policy in a [`route `](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroute) or in a VirtualServerRoute [`subroute`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroutesubroute). + +If the conditions above are not met, NGINX will send the `500` status code to clients. + +You can pass the client certificate details, including the certificate, to the upstream servers. For example: +```yaml +action: + proxy: + upstream: webapp + requestHeaders: + set: + - name: client-cert-subj-dn + value: ${ssl_client_s_dn} # subject DN + - name: client-cert + value: ${ssl_client_escaped_cert} # client certificate in the PEM format (urlencoded) +``` +We use the `requestHeaders` of the [Action.Proxy](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#actionproxy) to set the values of the two headers that NGINX will pass to the upstream servers. See the [list of embedded variables](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables) that are supported by the `ngx_http_ssl_module`, which you can use to pass the client certificate details. + +> Note: The feature is implemented using the NGINX [ngx_http_ssl_module](https://nginx.org/en/docs/http/ngx_http_ssl_module.html). + #### Using a Certificate Revocation List The IngressMTLS policy supports configuring at CRL for your policy. This can be done in one of two ways. @@ -279,7 +302,7 @@ This can be done in one of two ways. > Note: Only one of these configurations options can be used at a time. 1. Adding the `ca.crl` field to the `nginx.org/ca` secret type, which accepts a base64 encoded certificate revocation list (crl). -Example Yaml: + Example Yaml: ```yaml kind: Secret metadata: @@ -291,7 +314,11 @@ data: ca.crl: ``` -2. Adding the `Crl` field to your IngressMTLS policy spec with the name of the CRL. +2. Adding the `crl` field to your IngressMTLS policy spec with the name of the CRL. + +> Note: This configuration option should only be used when using a CRL that is larger than 1MiB +> Otherwise we recommend using the `nginx.org/ca` secret type for managing your CRL. + Example Yaml: ```yaml apiVersion: k8s.nginx.org/v1 @@ -306,29 +333,36 @@ ingressMTLS: verifyDepth: 1 ``` -> Note: When using this configuration the Ingress Controller will expect the CRL to be located at /etc/nginx/secrets - -A VirtualServer that references an IngressMTLS policy must: -* Enable [TLS termination](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualservertls). -* Reference the policy in the VirtualServer [`spec`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserver-specification). It is not allowed to reference an IngressMTLS policy in a [`route `](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroute) or in a VirtualServerRoute [`subroute`](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#virtualserverroutesubroute). - -If the conditions above are not met, NGINX will send the `500` status code to clients. +**IMPORTANT NOTE** +When configuring a CRL with the `ingressMTLS.crl` field, there are additional steps to consider and limitations to understand. +1. The Ingress Controller will expect the CRL, in this case `webapp.crl`, will be in `/etc/nginx/secrets`. We recommend updating your Ingress Controller deployment to add a Volume to mount your CRL to `/etc/nginx/secrets` +2. When updating the content of your CRL (e.g a new certificate has been revoked), NGINX will need to be reloaded to pick up the latest changes. We recommend updating the name of your CRL and applying this update to your `ingress-mtls.yaml` policy to ensure NGINX picks up the latest CRL. -You can pass the client certificate details, including the certificate, to the upstream servers. For example: +Below is an example yaml with the required volume and volume mounts added: ```yaml -action: - proxy: - upstream: webapp - requestHeaders: - set: - - name: client-cert-subj-dn - value: ${ssl_client_s_dn} # subject DN - - name: client-cert - value: ${ssl_client_escaped_cert} # client certificate in the PEM format (urlencoded) +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-ingress + namespace: nginx-ingress +spec: + ... + template: + ... + spec: + ... + volumes: + - name: nginx-crl + hostPath: + path: /data/crl # Replace this with the path to your CRL + type: Directory + ... + containers: + ... + volumeMounts: + - mountPath: /etc/nginx/secrets + name: nginx-crl ``` -We use the `requestHeaders` of the [Action.Proxy](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/#actionproxy) to set the values of the two headers that NGINX will pass to the upstream servers. See the [list of embedded variables](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables) that are supported by the `ngx_http_ssl_module`, which you can use to pass the client certificate details. - -> Note: The feature is implemented using the NGINX [ngx_http_ssl_module](https://nginx.org/en/docs/http/ngx_http_ssl_module.html). {{% table %}} |Field | Description | Type | Required | From d751782664a163c00939ec59bf4acdf5bc15e396 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 Mar 2023 14:24:52 +0000 Subject: [PATCH 26/32] Update pytest mark --- tests/suite/test_ingress_mtls.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suite/test_ingress_mtls.py b/tests/suite/test_ingress_mtls.py index 2b4d092672..0993e4c345 100644 --- a/tests/suite/test_ingress_mtls.py +++ b/tests/suite/test_ingress_mtls.py @@ -62,7 +62,7 @@ def teardown_policy(kube_apis, test_namespace, tls_secret, pol_name, mtls_secret delete_secret(kube_apis.v1, mtls_secret, test_namespace) -@pytest.mark.policy +@pytest.mark.policies @pytest.mark.parametrize( "crd_ingress_controller, virtual_server_setup", [ From b535e8149fff2a41531b990a6ed618bfc39bd07c Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 Mar 2023 17:14:12 +0000 Subject: [PATCH 27/32] Change field name to crlFileName in ingressMTLS policy --- deployments/common/crds/k8s.nginx.org_policies.yaml | 2 +- deployments/helm-chart/crds/k8s.nginx.org_policies.yaml | 2 +- docs/content/configuration/policy-resource.md | 6 +++--- internal/configs/virtualserver.go | 6 +++--- internal/configs/virtualserver_test.go | 4 ++-- pkg/apis/configuration/v1/types.go | 2 +- tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml | 2 +- 7 files changed, 12 insertions(+), 12 deletions(-) diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml index 84f70c2b08..cbce47e9bf 100644 --- a/deployments/common/crds/k8s.nginx.org_policies.yaml +++ b/deployments/common/crds/k8s.nginx.org_policies.yaml @@ -92,7 +92,7 @@ spec: properties: clientCertSecret: type: string - crl: + crlFileName: type: string verifyClient: type: string diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml index 84f70c2b08..cbce47e9bf 100644 --- a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml +++ b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml @@ -92,7 +92,7 @@ spec: properties: clientCertSecret: type: string - crl: + crlFileName: type: string verifyClient: type: string diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index d63ae7f94e..63735dbff2 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -328,13 +328,13 @@ metadata: spec: ingressMTLS: clientCertSecret: ingress-mtls-secret - crl: webapp.crl + crlFileName: webapp.crl verifyClient: "on" verifyDepth: 1 ``` **IMPORTANT NOTE** -When configuring a CRL with the `ingressMTLS.crl` field, there are additional steps to consider and limitations to understand. +When configuring a CRL with the `ingressMTLS.crlFileName` field, there are additional steps to consider and limitations to understand. 1. The Ingress Controller will expect the CRL, in this case `webapp.crl`, will be in `/etc/nginx/secrets`. We recommend updating your Ingress Controller deployment to add a Volume to mount your CRL to `/etc/nginx/secrets` 2. When updating the content of your CRL (e.g a new certificate has been revoked), NGINX will need to be reloaded to pick up the latest changes. We recommend updating the name of your CRL and applying this update to your `ingress-mtls.yaml` policy to ensure NGINX picks up the latest CRL. @@ -370,7 +370,7 @@ spec: |``clientCertSecret`` | The name of the Kubernetes secret that stores the CA certificate. It must be in the same namespace as the Policy resource. The secret must be of the type ``nginx.org/ca``, and the certificate must be stored in the secret under the key ``ca.crt``, otherwise the secret will be rejected as invalid. | ``string`` | Yes | |``verifyClient`` | Verification for the client. Possible values are ``"on"``, ``"off"``, ``"optional"``, ``"optional_no_ca"``. The default is ``"on"``. | ``string`` | No | |``verifyDepth`` | Sets the verification depth in the client certificates chain. The default is ``1``. | ``int`` | No | -|``crl`` | The name of the Certificate Revocation List. The Ingress Controller will look for this file in `/etc/nginx/secrets` | ``string`` | No | +|``crlFileName`` | The file name of the Certificate Revocation List. The Ingress Controller will look for this file in `/etc/nginx/secrets` | ``string`` | No | {{% /table %}} #### IngressMTLS Merging Behavior diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index f7a387ead0..7e1983093c 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -909,14 +909,14 @@ func (p *policiesCfg) addIngressMTLSConfig( caFields := strings.Fields(secretRef.Path) - if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey && ingressMTLS.Crl != "" { + if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey && ingressMTLS.CrlFileName != "" { res.addWarningf("Both ca.crl in the Secret and ingressMTLS.crl fields cannot be used. ca.crl in %s will be ignored and %s will be applied", secretKey, polKey) } - if ingressMTLS.Crl != "" { + if ingressMTLS.CrlFileName != "" { p.IngressMTLS = &version2.IngressMTLS{ ClientCert: caFields[0], - ClientCrl: fmt.Sprintf("%s/%s", DefaultSecretPath, ingressMTLS.Crl), + ClientCrl: fmt.Sprintf("%s/%s", DefaultSecretPath, ingressMTLS.CrlFileName), VerifyClient: verifyClient, VerifyDepth: verifyDepth, } diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index 38ab2b701e..c587a5f317 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -3144,7 +3144,7 @@ func TestGeneratePolicies(t *testing.T) { Spec: conf_v1.PolicySpec{ IngressMTLS: &conf_v1.IngressMTLS{ ClientCertSecret: "ingress-mtls-secret", - Crl: "default-ingress-mtls-secret-ca.crl", + CrlFileName: "default-ingress-mtls-secret-ca.crl", VerifyClient: "off", }, }, @@ -4044,7 +4044,7 @@ func TestGeneratePoliciesFails(t *testing.T) { Spec: conf_v1.PolicySpec{ IngressMTLS: &conf_v1.IngressMTLS{ ClientCertSecret: "ingress-mtls-secret", - Crl: "default-ingress-mtls-secret-ca.crl", + CrlFileName: "default-ingress-mtls-secret-ca.crl", }, }, }, diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go index 85bce42199..6d23165677 100644 --- a/pkg/apis/configuration/v1/types.go +++ b/pkg/apis/configuration/v1/types.go @@ -456,7 +456,7 @@ type BasicAuth struct { // IngressMTLS defines an Ingress MTLS policy. type IngressMTLS struct { ClientCertSecret string `json:"clientCertSecret"` - Crl string `json:"crl"` + CrlFileName string `json:"crlFileName"` VerifyClient string `json:"verifyClient"` VerifyDepth *int `json:"verifyDepth"` } diff --git a/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml b/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml index 25210e25d2..b47db9c7de 100644 --- a/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml +++ b/tests/data/ingress-mtls/policies/ingress-mtls-crl.yaml @@ -7,4 +7,4 @@ spec: clientCertSecret: ingress-mtls-secret verifyClient: "on" verifyDepth: 1 - crl: webapp.crl + crlFileName: webapp.crl From e55f0b43121b8037c15d9cec12a9b24d4b4cb5db Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 Mar 2023 17:30:12 +0000 Subject: [PATCH 28/32] Update documentation --- docs/content/configuration/policy-resource.md | 26 +------------------ 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 63735dbff2..d222a19655 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -338,31 +338,7 @@ When configuring a CRL with the `ingressMTLS.crlFileName` field, there are addit 1. The Ingress Controller will expect the CRL, in this case `webapp.crl`, will be in `/etc/nginx/secrets`. We recommend updating your Ingress Controller deployment to add a Volume to mount your CRL to `/etc/nginx/secrets` 2. When updating the content of your CRL (e.g a new certificate has been revoked), NGINX will need to be reloaded to pick up the latest changes. We recommend updating the name of your CRL and applying this update to your `ingress-mtls.yaml` policy to ensure NGINX picks up the latest CRL. -Below is an example yaml with the required volume and volume mounts added: -```yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx-ingress - namespace: nginx-ingress -spec: - ... - template: - ... - spec: - ... - volumes: - - name: nginx-crl - hostPath: - path: /data/crl # Replace this with the path to your CRL - type: Directory - ... - containers: - ... - volumeMounts: - - mountPath: /etc/nginx/secrets - name: nginx-crl -``` +Please refer to the Kubernetes documentation on [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) to find the best implementation for your environment. {{% table %}} |Field | Description | Type | Required | From d1f26dfb5106a9da870910caec8faf8f99275415 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 Mar 2023 17:45:35 +0000 Subject: [PATCH 29/32] Update documentation --- docs/content/configuration/policy-resource.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index d222a19655..8cb0239234 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -335,8 +335,8 @@ ingressMTLS: **IMPORTANT NOTE** When configuring a CRL with the `ingressMTLS.crlFileName` field, there are additional steps to consider and limitations to understand. -1. The Ingress Controller will expect the CRL, in this case `webapp.crl`, will be in `/etc/nginx/secrets`. We recommend updating your Ingress Controller deployment to add a Volume to mount your CRL to `/etc/nginx/secrets` -2. When updating the content of your CRL (e.g a new certificate has been revoked), NGINX will need to be reloaded to pick up the latest changes. We recommend updating the name of your CRL and applying this update to your `ingress-mtls.yaml` policy to ensure NGINX picks up the latest CRL. +1. The Ingress Controller will expect the CRL, in this case `webapp.crl`, will be in `/etc/nginx/secrets`. A volume mount will need to be added to the Ingress Controller deployment add your CRL to `/etc/nginx/secrets` +2. When updating the content of your CRL (e.g a new certificate has been revoked), NGINX will need to be reloaded to pick up the latest changes. Depending on your environment this may require updating the name of your CRL and applying this update to your `ingress-mtls.yaml` policy to ensure NGINX picks up the latest CRL. Please refer to the Kubernetes documentation on [volumes](https://kubernetes.io/docs/concepts/storage/volumes/) to find the best implementation for your environment. From e5134cafdac0f71abb977573838140cc393e295f Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Thu, 16 Mar 2023 17:51:04 +0000 Subject: [PATCH 30/32] Fix warning message --- internal/configs/virtualserver.go | 2 +- internal/configs/virtualserver_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go index 7e1983093c..61e1b90233 100644 --- a/internal/configs/virtualserver.go +++ b/internal/configs/virtualserver.go @@ -910,7 +910,7 @@ func (p *policiesCfg) addIngressMTLSConfig( caFields := strings.Fields(secretRef.Path) if _, hasCrlKey := secretRef.Secret.Data[CACrlKey]; hasCrlKey && ingressMTLS.CrlFileName != "" { - res.addWarningf("Both ca.crl in the Secret and ingressMTLS.crl fields cannot be used. ca.crl in %s will be ignored and %s will be applied", secretKey, polKey) + res.addWarningf("Both ca.crl in the Secret and ingressMTLS.crlFileName fields cannot be used. ca.crl in %s will be ignored and %s will be applied", secretKey, polKey) } if ingressMTLS.CrlFileName != "" { diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go index c587a5f317..663ab83e24 100644 --- a/internal/configs/virtualserver_test.go +++ b/internal/configs/virtualserver_test.go @@ -4075,7 +4075,7 @@ func TestGeneratePoliciesFails(t *testing.T) { }, expectedWarnings: Warnings{ nil: { - `Both ca.crl in the Secret and ingressMTLS.crl fields cannot be used. ca.crl in default/ingress-mtls-secret will be ignored and default/ingress-mtls-policy will be applied`, + `Both ca.crl in the Secret and ingressMTLS.crlFileName fields cannot be used. ca.crl in default/ingress-mtls-secret will be ignored and default/ingress-mtls-policy will be applied`, }, }, expectedOidc: &oidcPolicyCfg{}, From 56d377978b72d9a930977f572ac4c61642d20b29 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 21 Mar 2023 09:28:15 +0000 Subject: [PATCH 31/32] Update documentation --- docs/content/configuration/policy-resource.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index b122f2216b..7235fbf19c 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -314,7 +314,7 @@ data: ca.crl: ``` -2. Adding the `crl` field to your IngressMTLS policy spec with the name of the CRL. +2. Adding the `crlFileName` field to your IngressMTLS policy spec with the name of the CRL. > Note: This configuration option should only be used when using a CRL that is larger than 1MiB > Otherwise we recommend using the `nginx.org/ca` secret type for managing your CRL. From 75ce8d86bf4fc90fbd32b307633a54a8c8fef1e5 Mon Sep 17 00:00:00 2001 From: shaun-nx Date: Tue, 21 Mar 2023 10:47:45 +0000 Subject: [PATCH 32/32] Update documentation --- docs/content/configuration/policy-resource.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/configuration/policy-resource.md b/docs/content/configuration/policy-resource.md index 7235fbf19c..60c7ab9017 100644 --- a/docs/content/configuration/policy-resource.md +++ b/docs/content/configuration/policy-resource.md @@ -302,7 +302,7 @@ This can be done in one of two ways. > Note: Only one of these configurations options can be used at a time. 1. Adding the `ca.crl` field to the `nginx.org/ca` secret type, which accepts a base64 encoded certificate revocation list (crl). - Example Yaml: + Example YAML: ```yaml kind: Secret metadata: @@ -314,12 +314,12 @@ data: ca.crl: ``` -2. Adding the `crlFileName` field to your IngressMTLS policy spec with the name of the CRL. +2. Adding the `crlFileName` field to your IngressMTLS policy spec with the name of the CRL file. > Note: This configuration option should only be used when using a CRL that is larger than 1MiB > Otherwise we recommend using the `nginx.org/ca` secret type for managing your CRL. -Example Yaml: +Example YAML: ```yaml apiVersion: k8s.nginx.org/v1 kind: Policy @@ -334,7 +334,7 @@ ingressMTLS: ``` **IMPORTANT NOTE** -When configuring a CRL with the `ingressMTLS.crlFileName` field, there are additional steps to consider and limitations to understand. +When configuring a CRL with the `ingressMTLS.crlFileName` field, there is additional context to keep in mind: 1. The Ingress Controller will expect the CRL, in this case `webapp.crl`, will be in `/etc/nginx/secrets`. A volume mount will need to be added to the Ingress Controller deployment add your CRL to `/etc/nginx/secrets` 2. When updating the content of your CRL (e.g a new certificate has been revoked), NGINX will need to be reloaded to pick up the latest changes. Depending on your environment this may require updating the name of your CRL and applying this update to your `ingress-mtls.yaml` policy to ensure NGINX picks up the latest CRL.