Asking for help? Comment out what you need so we can get more information to help you!
Cluster information:
Kubernetes version: v1.19.0
Cloud being used: bare-metal
Installation method: minikube
Host OS: Ubuntu 20.04
CNI and version: N/A
CRI and version: N/A
Hi, I am running a minikube cluster on my local machine to test out nginx ingress. I have a requirement where the container that is running my app needs to support tls on some paths and mtls on some paths.
something like myserver/api1 which doesn’t require mtls and myserver/api2 which does require mtls.
I created an ingress resource with following ingress host settings.
hosts:
- host: mytlsserver
paths: [ '/api1' ]
- host: mymtlsserver
paths: [ '/api2' ]
and my ingress annotations read something like:
kubernetes .io / ingress.class: nginx
nginx .ingress .kubernetes .io / auth-tls-verify-client: “on”
nginx .ingress .kubernetes .io / auth-tls-secret: “default/client-ca”
nginx .ingress .kubernetes .io / auth-tls-verify-depth: “1”
nginx .ingress .kubernetes .io / auth-tls-pass-certificate-to-upstream: “true”
nginx .ingress .kubernetes .io / service-upstream: “true”
nginx .ingress .kubernetes .io / upstream-vhost: myserver.default
Now the thing is these two annotations are applied for the ingress resource:
nginx .ingress .kubernetes .io/auth-tls-verify-client: “on”
nginx .ingress .kubernetes .io/auth-tls-secret: “default/client-ca”
Is there a way to enable client certificate verification host specific.
so that when someone calls https : // mytlsserver /api1 client cert verification is not done and when someone calls https : // mymtlsserver /api2 client cert verification is performed.