Certificate Based Mutual Authentication with NGINX Ingress

Overview

In this guide, you will learn how to configure two-way mutual authentication with an NGINX Ingress controller on Kubernetes.

Acquiring Certificates

The first step in mutual authentication is to secure your endpoint, which in this case is the NGINX Ingress controller. You will need a certificate and key from a trusted authority.

Creating an NGINX Ingress Resource

The NGINX ingress controller is created using a YAML file. Both the certificate and key will

apiVersion: v1
kind: Ingress
metadata:
  name: myapp-ingress
spec:
  rules:
  - host: app.serverlab.ca
    http:
      paths:
      - backend:
          serviceName: myapp
          servicePort: 80
        path: /
  tls:
  - hosts:
    - app.serverlab.ca
    secretName: my-certs

tls: This key provides the configuration keys for enabling HTTPS in an NGINX ingress controller.

hosts: Used to define a lot of hostnames TLS will be enabled for. Wildcards are not supported, so every hostname added to the cert must be set here as well.

secretName: The name of the secret resources created to store the certificate and key.

Create the new ingress resource using the kubectl apply command.

kubectl apply -f nginx-ingress.yml

Enabling Certificate based Mutual Authentication

Mutual authentication is enabled by adding an annotation to your ingress controller. The annotation sets the NGINX configuration to verifying a client’s certificate.

Update the existing NGINX Ingress YAML file, adding the annotations.

apiVersion: v1
kind: Ingress
metadata:
  name: myapp-ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: "default/my-certs"
spec:
  rules:
  - host: app.serverlab.ca
    http:
      paths:
      - backend:
          serviceName: myapp
          servicePort: 80
        path: /
  tls:
  - hosts:
    - app.serverlab.ca
    secretName: my-certs

Verify-client: Instructs NGINX to verify the certificate presented by a client, ensuring it is from a trusted authority.