VirtualServer + Cert-manager with enabled mtls

[alexandersm]

Hello,

I think , this topic has not been described before

I've configured VritualServer with CertManager to use Let's encrypt certificates, everything works fine.

On top of this configuration, I would like to enable mTLS configuration with the self-signed certificate also issued by cert-manager.

Cert-manager has created the secret with the name certsecret, but it can not be used in the Nginx Ingress Policy object, because certsecret has type "kubernetes.io/tls", whereas Nginx Ingress requires the type "nginx.org/ca"

What would be a workaround here?

My Policy object:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: ingress-mtls-policy
spec:
  ingressMTLS:
    clientCertSecret: certsecret
    verifyClient: "on"
    verifyDepth: 1

Kind regards,
Alexander.

[brianehlert]

cert-manager history and behavior is tied to the hostname of an Ingress or VirtualServer resource and used for TLS offload.

mTLS is (ingress or egress) is about using a certificate for both authentication and encryption.

I take it that you want to use cert-manager to interface with an internal PKI, which is different than the most common use case of a TLS focused CA such as Let's Encrypt.

Can you point us to a document that describes the use case with cert-manager?

[alexandersm]

The use case is the following.

Server Side TLS certificates are issued by some trusted CA, in my case it is Let's encrypt.

But additionally, the client shall user client TLS certificate , issued by private CA and managed by cert-manager, this client TLS certificate is passed then to the backend service behind ingress controller.

Currently, I'm able to set up such configuration only in the following way :

Nginx Ingress Transport Server with TLS pass-through -> Nginx Web Server deployment

Nginx Web server has the following configuration then:

        ssl_certificate conf.d/certs/letsencrypt-certificates/tls.crt;
        ssl_certificate_key conf.d/certs/letsencrypt-certificates/tls.key;
        ssl_client_certificate conf.d/certs/privateca/ca.crt;

In my example letsencrypt-certificates/tls.crt; and letsencrypt-certificates/tls.key; are taken from the ConfigMap, created by Cert-Manager, these certificates are issued by Let's encrypt.

ca.crt is the private self-signed CA, also issued by different Cert-Manager self-signed issuer. It is used to verify client certificates.

Then, I use the following proxy-pass rule in Nginx deployment:

        location /api/ {

                proxy_pass http://backendservice:8000/;
                proxy_set_header Host $host;
                proxy_set_header X-SSL-Certificate $ssl_client_escaped_cert;
        }

Since Nginx Ingress now supports cert-manager, it would be great to configure CA from the cert-manager to verify client certificates, and then there is no need to use Nginx deployment behind ingress anymore.

[Rockawear]

Hi,
I have the same use case and Policy is expecting nginx.org/ca secret type vs kubernetes.io/tls secret type from cert-manager. Any workaround?

[vepatel]

Hi we're looking at the ways this can be done with our current implementation.
@jasonwilliams14 @jjngx