Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use "ssl_verify_client optional_no_ca" with the current implementation of "auth-tls-verify-client" annotation #2922

Closed
juliohm1978 opened this issue Aug 9, 2018 · 16 comments
Closed

Unable to use "ssl_verify_client optional_no_ca" with the current implementation of "auth-tls-verify-client" annotation #2922

juliohm1978 opened this issue Aug 9, 2018 · 16 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@juliohm1978
Copy link
Contributor

Is this a BUG REPORT or FEATURE REQUEST? (choose one): bug

NGINX Ingress controller version: 0.17.1

Kubernetes version (use kubectl version): 1.10

Environment:

  • Cloud provider or hardware configuration: Barebone/VMs installation
  • OS (e.g. from /etc/os-release):
# cat /etc/os-release 
NAME="Ubuntu"
VERSION="18.04 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

  • Kernel (e.g. uname -a): Linux k8s-master01-dev 4.15.0-29-generic Add healthz checker #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

  • Install tools: Kubespray 2.5.0

What happened:
I'm glad that nginx-ingress supports client certificate authentication, but the current implementation of the nginx.ingress.kubernetes.io/auth-tls-verify-client annotation does not allow the use of optional_no_ca. The only effective values that work are on or off.

While PR 1359 nicely added this feature, it doesn't account for an empty CAFileName. If you don't provide a certificate authority, the code that includes ssl_verify_client is skiped entirely, which renders optional_no_ca ineffective.

Current master branch still holds the same implementation.

What you expected to happen:
A way to configure nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional_no_ca" and have the ingress controller accept any CA, without needing to include a specific CA certificate.
@juliohm1978
Copy link
Contributor Author

Quick update. It is possible to work around this issue by adding a custom snippet to your server block.

nginx.ingress.kubernetes.io/server-snippet: |
  ssl_verify_client optional_no_ca;

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 7, 2018
@juliohm1978
Copy link
Contributor Author

/remove-lifecycle stale

Prepping PR to fix this.

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 9, 2018
This was referenced Nov 9, 2018
Closed
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 7, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 9, 2019
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@juliohm1978
Copy link
Contributor Author

Finally got around to return to this issue. New PR will be coming next.

/reopen
/remove-lifecycle rotten

@k8s-ci-robot
Copy link
Contributor

@juliohm1978: Reopened this issue.

In response to this:

Finally got around to return to this issue. New PR will be coming next.

/reopen
/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot reopened this Apr 27, 2019
@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Apr 27, 2019
@juliohm1978 juliohm1978 mentioned this issue Apr 27, 2019
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 26, 2019
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 25, 2019
@brockn
Copy link

brockn commented Sep 9, 2019

Does the workaround specified here actually work? When using it I get this:

-------------------------------------------------------------------------------
W0909 18:43:30.002622       8 queue.go:113] requeuing test-tls-client/meow-ingress, err
-------------------------------------------------------------------------------
Error: exit status 1
2019/09/09 18:43:29 [emerg] 108799#108799: "ssl_verify_client" directive is duplicate in /tmp/nginx-cfg688436043:532
nginx: [emerg] "ssl_verify_client" directive is duplicate in /tmp/nginx-cfg688436043:532
nginx: configuration file /tmp/nginx-cfg688436043 test failed

@juliohm1978
Copy link
Contributor Author

It works for me.

Did you also keep the nginx.ingress.kubernetes.io/auth-tls-verify-client annotation? You can't keep that enabled and also include your snippet. This will likely cause a duplicate ssl_verify_client in nginx.conf.

@brockn
Copy link

brockn commented Sep 9, 2019

Thanks for the quick reply!

I did so that was my issue with the workaround. But it actually looks like this works:

    nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional_no_ca"

I noticed this in the source:

  authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`)

@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@growingspaghetti growingspaghetti mentioned this issue Nov 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
4 participants
@brockn @juliohm1978 @k8s-ci-robot @fejta-bot