Open in app

Sign in

Write

Sign in

Simple mtls with nginx ingress controller

Jbn1233
2 min readJul 20, 2024

--

Edit and run this script

#!/bin/bash

# Variables
NAMESPACE="default"
CA_CN="/O=jbnca/OU=jbn/CN=jbn-mtls-ca"
SERVER_CN="/O=server/OU=server/CN=mtls-server"
CLIENT_CN="/O=client/OU=client/CN=mtls-client"

INGRESS_NAME="mtls101"
HOST="mtls101.jbndns1.online"

# Generate the CA certificate
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "$CA_CN" -days 7305 -out ca.crt

# Generate the server certificate
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "$SERVER_CN" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650

# Generate the client certificate
openssl genrsa -out client.key 2048
openssl req -new -key client.key -subj "$CLIENT_CN" -out client.csr
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650

# Create Kubernetes secrets
kubectl delete secret server-cert -n $NAMESPACE
kubectl create secret tls server-cert --cert=server.crt --key=server.key -n $NAMESPACE
kubectl delete secret ca-cert -n $NAMESPACE
kubectl create secret generic ca-cert --from-file=ca.crt -n $NAMESPACE

# Create Ingress resource
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: $INGRESS_NAME
  namespace: $NAMESPACE
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: "$NAMESPACE/ca-cert"
    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "$NAMESPACE/server-cert"
spec:
  rules:
  - host: $HOST
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: echo
            port:
              number: 80
  tls:
  - hosts:
    - $HOST
    secretName: server-cert
EOF

echo "mTLS setup complete."

run:

$ ./run.sh 
Certificate request self-signature ok
subject=O = server, OU = server, CN = mtls-server
Certificate request self-signature ok
subject=O = client, OU = client, CN = mtls-client
secret "server-cert" deleted
secret/server-cert created
secret "ca-cert" deleted
secret/ca-cert created
ingress.networking.k8s.io/mtls101 configured
mTLS setup complete.

result:

note: sslclient-* header also sent to backend

That is all, hope this help…

Kubernetes

--

--

Jbn1233
Jbn1233

Written by Jbn1233

28 Followers
1 Following

Very short and simple notes for CKA/SRE and may not works on your environment | jbn1233@gmail.com | Bangkok, Thailand |

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams