https ca annotation #1461
Comments
aledbf
added
nginx
enhancement
help wanted
|
For the record, I think I got the flag wrong. according to this: it should be: |
|
@kfox1111 Is this a ConfigMap (general) and should be responsability from the admin? Or this can be an annotation, and the user might specify which CAs its backend accepts? |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Annotation would be required as end users control annotations but not the nginx-ingress configmap. |
k8s-ci-robot
added
kind/feature
|
I don't see an updates on this and am running into this exact issue, where the entities that run the backend servers are separate from those that maintain the nginx ingress controllers and allowing them to provide their own .pem as an annotation in their ingress rules would be a perfect situation. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Is this easier to implement now that the cert stuff is going through lua? or is it still done via nginx config? |
|
I would like to have this annotation. |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
If this is not going to be worked on, how can it be achieved within the ConfigMap? /remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@rafaelmagu: You can't reopen an issue/PR unless you authored it or you are a collaborator. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Can we please sponsor this issue somehow? |
|
@rafaelmagu what it's missing in the annotations https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-certificate-authentication to achieve your goals? |
|
@aledbf I somehow have missed this. When was it made available? |
|
And yes, it addresses my issue. |
Since 0.26.0 #4327 |
I see a case where the ingress provider (me) is separate from my users (namespaced), where they should manage their own ca, and through their particular ingress rules, specify what ca they signed their backends with. This means I don't need to give them my org's wildcard certs. When there are multiple distinct users (namespaces), there may be multiple ca's involved and rebuilding an ingress to on board new users would be a heavy lift.
looks like nginx supports overriding a particular proxies ca: http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate
So we'd need an annotation like: "ingress.kubernetes.io/secure-backend-ca" which would point to a configmap with a ca.pem in it. The ingress controller would download that configmap's ca.pem, place it somewhere nginx could get to, and override the proxy_ssl_certificate option on that ingress to point to the file.
The text was updated successfully, but these errors were encountered: