diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index 30a96078de..b0c70b3ad1 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -47,6 +47,7 @@ The following annotations are supported: |[ingress.kubernetes.io/auth-url](#external-authentication)|string| |[ingress.kubernetes.io/auth-tls-secret](#certificate-authentication)|string| |[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number| +|[ingress.kubernetes.io/auth-tls-error-page](#certificate-authentication)|string| |[ingress.kubernetes.io/base-url-scheme](#rewrite)|string| |[ingress.kubernetes.io/client-body-buffer-size](#client-body-buffer-size)|string| |[ingress.kubernetes.io/configuration-snippet](#configuration-snippet)|string| @@ -149,6 +150,12 @@ ingress.kubernetes.io/auth-tls-verify-depth The validation depth between the provided client certificate and the Certification Authority chain. +``` +ingress.kubernetes.io/auth-tls-error-page +``` + +The URL/Page that user should be redirected in case of a Certificate Authentication Error + Please check the [tls-auth](/examples/auth/client-certs/nginx/README.md) example. ### Configuration snippet diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index ab9e7a83b2..97ccaf045f 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -611,6 +611,9 @@ stream { ssl_client_certificate {{ $server.CertificateAuth.CAFileName }}; ssl_verify_client on; ssl_verify_depth {{ $server.CertificateAuth.ValidationDepth }}; + {{ if not (empty $server.CertificateAuth.ErrorPage)}} + error_page 495 496 = {{ $server.CertificateAuth.ErrorPage }}; + {{ end }} {{ end }} {{ range $location := $server.Locations }} diff --git a/core/pkg/ingress/annotations/authtls/main.go b/core/pkg/ingress/annotations/authtls/main.go index 6db52426e6..30a1a04fcc 100644 --- a/core/pkg/ingress/annotations/authtls/main.go +++ b/core/pkg/ingress/annotations/authtls/main.go @@ -28,16 +28,18 @@ import ( const ( // name of the secret - annotationAuthTLSSecret = "ingress.kubernetes.io/auth-tls-secret" - annotationAuthTLSDepth = "ingress.kubernetes.io/auth-tls-verify-depth" - defaultAuthTLSDepth = 1 + annotationAuthTLSSecret = "ingress.kubernetes.io/auth-tls-secret" + annotationAuthTLSDepth = "ingress.kubernetes.io/auth-tls-verify-depth" + annotationAuthTLSErrorPage = "ingress.kubernetes.io/auth-tls-error-page" + defaultAuthTLSDepth = 1 ) // AuthSSLConfig contains the AuthSSLCert used for muthual autentication // and the configured ValidationDepth type AuthSSLConfig struct { resolver.AuthSSLCert - ValidationDepth int `json:"validationDepth"` + ValidationDepth int `json:"validationDepth"` + ErrorPage string `json:"errorPage"` } // Equal tests for equality between two AuthSSLConfig types @@ -54,7 +56,9 @@ func (assl1 *AuthSSLConfig) Equal(assl2 *AuthSSLConfig) bool { if assl1.ValidationDepth != assl2.ValidationDepth { return false } - + if assl1.ErrorPage != assl2.ErrorPage { + return false + } return true } @@ -97,8 +101,14 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) { } } + errorpage, err := parser.GetStringAnnotation(annotationAuthTLSErrorPage, ing) + if err != nil || errorpage == "" { + errorpage = "" + } + return &AuthSSLConfig{ AuthSSLCert: *authCert, ValidationDepth: tlsdepth, + ErrorPage: errorpage, }, nil } diff --git a/docs/annotations.md b/docs/annotations.md index 8f157d3c8f..b23f7ecee8 100644 --- a/docs/annotations.md +++ b/docs/annotations.md @@ -37,6 +37,7 @@ Key: | `auth-realm` | Authentication realm. | | nginx, haproxy, trafficserver | `auth-tls-secret` | Name of secret for TLS client certification validation. | | nginx, haproxy | `auth-tls-verify-depth` | Maximum chain length of TLS client certificate. | | nginx +| `auth-tls-error-page` | The page that user should be redirected in case of Auth error | | string | `auth-satisfy` | Behaviour when more than one of `auth-type`, `auth-tls-secret` or `whitelist-source-range` are configured: `all` or `any`. | `all` | trafficserver | `trafficserver` | `whitelist-source-range` | Comma-separate list of IP addresses to enable access to. | | nginx, haproxy, trafficserver diff --git a/examples/auth/client-certs/nginx/README.md b/examples/auth/client-certs/nginx/README.md index 440815e7a0..e8c9e83ac4 100644 --- a/examples/auth/client-certs/nginx/README.md +++ b/examples/auth/client-certs/nginx/README.md @@ -32,7 +32,7 @@ Certificate Authentication is achieved through 2 annotations on the Ingress, as | --- | --- | --- | |ingress.kubernetes.io/auth-tls-secret|Sets the secret that contains the authorized CA Chain|string| |ingress.kubernetes.io/auth-tls-verify-depth|The verification depth Certificate Authentication will make|number (default to 1)| - +|ingress.kubernetes.io/auth-tls-error-page|The page that user should be redirected in case of Auth error|string (default to empty| The following command instructs the controller to enable TLS authentication using the secret from the ``ingress.kubernetes.io/auth-tls-secret`` annotation on the Ingress. Clients must present this cert to the loadbalancer, or they will receive a HTTP 400 response @@ -61,6 +61,7 @@ Rules: Annotations: auth-tls-secret: default/caingress auth-tls-verify-depth: 3 + auth-tls-error-page: http://www.mysite.com/error-cert.html Events: FirstSeen LastSeen Count From SubObjectPath Type Reason Message diff --git a/examples/auth/client-certs/nginx/nginx-tls-auth.yaml b/examples/auth/client-certs/nginx/nginx-tls-auth.yaml index 23cac7b494..ac03d9d7c9 100644 --- a/examples/auth/client-certs/nginx/nginx-tls-auth.yaml +++ b/examples/auth/client-certs/nginx/nginx-tls-auth.yaml @@ -5,6 +5,7 @@ metadata: # Create this with kubectl create secret generic caingress --from-file=ca.crt --namespace=default ingress.kubernetes.io/auth-tls-secret: "default/caingress" ingress.kubernetes.io/auth-tls-verify-depth: "3" + auth-tls-error-page: "http://www.mysite.com/error-cert.html" kubernetes.io/ingress.class: "nginx" name: nginx-test namespace: default