In this guide, you will learn how to configure two-way mutual authentication with an NGINX Ingress controller on Kubernetes.
The first step in mutual authentication is to secure your endpoint, which in this case is the NGINX Ingress controller. You will need a certificate and key from a trusted authority.
Creating an NGINX Ingress Resource
The NGINX ingress controller is created using a YAML file. Both the certificate and key will
apiVersion: v1 kind: Ingress metadata: name: myapp-ingress spec: rules: - host: app.serverlab.ca http: paths: - backend: serviceName: myapp servicePort: 80 path: / tls: - hosts: - app.serverlab.ca secretName: my-certs
tls: This key provides the configuration keys for enabling HTTPS in an NGINX ingress controller.
hosts: Used to define a lot of hostnames TLS will be enabled for. Wildcards are not supported, so every hostname added to the cert must be set here as well.
secretName: The name of the secret resources created to store the certificate and key.
Create the new ingress resource using the kubectl apply command.
kubectl apply -f nginx-ingress.yml
Enabling Certificate based Mutual Authentication
Mutual authentication is enabled by adding an annotation to your ingress controller. The annotation sets the NGINX configuration to verifying a client’s certificate.
Update the existing NGINX Ingress YAML file, adding the annotations.
apiVersion: v1 kind: Ingress metadata: name: myapp-ingress annotations: nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" nginx.ingress.kubernetes.io/auth-tls-secret: "default/my-certs" spec: rules: - host: app.serverlab.ca http: paths: - backend: serviceName: myapp servicePort: 80 path: / tls: - hosts: - app.serverlab.ca secretName: my-certs
Verify-client: Instructs NGINX to verify the certificate presented by a client, ensuring it is from a trusted authority.