How to handle Ingress annotations mentioned below

Projects NGINX Gateway Fabric
, , ,
1

Please use this template for troubleshooting questions.

My issue: I am able to address below annotations in the HTTPRoute or Gateway.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: dev-dc
meta.helm.sh/release-namespace: default
nginx.ingress.kubernetes.io/auth-tls-match-cn: CN=Pipeline Builder
nginx.ingress.kubernetes.io/auth-tls-secret: default/wac-certs
nginx.ingress.kubernetes.io/auth-tls-verify-client: “true”
nginx.ingress.kubernetes.io/auth-tls-verify-depth: “5”
nginx.ingress.kubernetes.io/proxy-body-size: 512m

How I encountered the problem: While I am running pipeline, I am not able to authenticate as the above annotations or not handled properly in my Gateway or HTTPRoute

Solutions I’ve tried:

Version of NGF and/or NGINX: 3.0.0

Deployment environment: Dev

2

Hi @rajasekhar.yannam , thanks so much for your interest in our project!

Here’s how these annotations map to NGF with Gateway API:

auth-tls-secret + auth-tls-verify-client These are addressed by FrontendTLSValidation, which is coming in the next NGF release. You’ll configure this on your Gateway listener:

tls:
  frontendValidation:
    caCertificateRefs:
      - kind: ConfigMap
        name: wac-certs

See the Gateway API FrontendTLSConfig spec for full details.

auth-tls-match-cn Gateway API has no native concept of filtering by client certificate CN. One approach is to propagate the cert subject as a request header using RequestHeaderModifier and have your backend perform the CN check. Support for NGINX variables in RequestHeaderModifier is also coming in the next release, so you’ll be able to do:

filters:
  - type: RequestHeaderModifier
    requestHeaderModifier:
      set:
        - name: X-SSL-Client-DN
          value: $ssl_client_s_dn

However - Note that auth-tls-match-cn enforces CN validation at the gateway, returning 403 before the request reaches your backend. The RequestHeaderModifier approach shifts that enforcement to the backend and so it is not an equivalent replacement if you require the gateway to be the enforcement point. If this is important for your use case, please let us know by opening an issue!

auth-tls-verify-depth There is currently no equivalent for this in Gateway API or NGF. As above, if this is important for your use case, please let us know by opening an issue!

proxy-body-size This is supported today via ProxySettingsPolicy. See the proxy settings documentation for configuration details.

I hope this helps!

Ciara

3

Hi @Ciara , Thank you for prompt response. I will definitely verify the given solutions. Meanwhile, Could you please let me know when can we expect the next release, So u am eager to apply these changes.

4

We are targeting the week of May 4th for our next release including these changes @rajasekhar.yannam!

5

@Ciara , As we are using K8S Cluster V1.27 and not able to upgrade as of now, We are bound to use NGF V2.4.2. This version does not support frontendValidation and custombackedpolicies which supports tls option. Is there any way that i can get to use client certifcates. Apprecite for your kind help.

6

Hi @rajasekhar.yannam you could likely accomplish this with a SnippetsFilter or SnippetsPolicy

For example, if you had a TLS secret with a ca.crt field like this:

apiVersion: v1
kind: Secret
metadata:
  name: ca-secret-valid
  namespace: default
type: kubernetes.io/tls
data:
  ca.crt: LS0tLS1CRUdJ...(data omitted)

If you mount this secret to you NGF deployment, his would create a secret in /etc/nginx/secrets/ca-secret-valid.crt

This is what the mount setup would look like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
        volumeMounts:
        - name: client-cert-volume
      volumes:
      - name: client-cert-volume
        secret:
          secretName: ca-secret-valid

You might then be able to reference that, at a HTTPRoute level like this:

apiVersion: gateway.nginx.org/v1alpha1
kind: SnippetsFilter
metadata:
  name: client-cert-snippet
spec:
  snippets:
    - context: http.server.location
      value: |
        ssl_client_certificate /etc/nginx/secrets/ca-secret-valid-1.crt;
        ssl_verify_client on;
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: coffee
spec:
  parentRefs:
    - name: gateway
      sectionName: http
  hostnames:
    - "cafe.example.com"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /coffee
      filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.nginx.org
            kind: SnippetsFilter
            name: client-cert-snippet
      backendRefs:
        - name: coffee
          port: 80

I’m not 100% sure if this exact configuration would work, but something along these lines should help you accomplish this.

Keep in mind, Snippets are disabled by defailt.

We document how Snippets work, and how to enable them here: Snippets | NGINX Documentation

Hope that helps!