kubernetes - How to enable Client Certificate Validation for specific paths in Nginx Ingress Controller? - Stack Overflow

I have applications deployed in Kubernetes using the Nginx Ingress Controller. I need to implement path-based Client Certificate Validation where:

• 'app.example/auth' -> path should require client certificates
• 'app.example/tool' -> path should not require client certificates

Currently, I'm using this annotation to enable/disable Client Certificate Validation (Authentication): nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"

What I understand is client cert auth is a global configuration and it can not be configured for specific path. for referece, see first few lines of the doc:
.md#client-certificate-authentication

We also thought to use 2 ingress controller but both URLs have same domain so domain can only be resolved to any one Load Balancer IP of ingress controller service.

Please advise how can We enabled client cert validation on specific path? We are also flexible to switch to some other Ingress controller.

I have applications deployed in Kubernetes using the Nginx Ingress Controller. I need to implement path-based Client Certificate Validation where:

• 'app.example.com/auth' -> path should require client certificates
• 'app.example.com/tool' -> path should not require client certificates

Currently, I'm using this annotation to enable/disable Client Certificate Validation (Authentication): nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"

What I understand is client cert auth is a global configuration and it can not be configured for specific path. for referece, see first few lines of the doc:
https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#client-certificate-authentication

We also thought to use 2 ingress controller but both URLs have same domain so domain can only be resolved to any one Load Balancer IP of ingress controller service.

Please advise how can We enabled client cert validation on specific path? We are also flexible to switch to some other Ingress controller.

• kubernetes
• nginx
• kubernetes-ingress
• nginx-ingress
• client-certificates

Share Improve this question Follow edited Jan 31 at 9:54 Karan Kumar asked Jan 31 at 9:53 Karan KumarKaran Kumar 1122 bronze badges 2

• You can't do it with nginx (see this thread). – Ivan Shatsky Commented Jan 31 at 12:45
• Please provide enough code so others can better understand or reproduce the problem. – PatPanda Commented Feb 1 at 11:43

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

Simply use two separate ingress resources for two different paths:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-secret"
    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"
spec:
  ingressClassName: nginx
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /auth
        pathType: Prefix
        backend:
          service:
            name: auth-service
            port:
              number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tool-ingress
spec:
  ingressClassName: nginx
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /tool
        pathType: Prefix
        backend:
          service:
            name: tool-service
            port:
              number: 80

/auth path with have a block for cert validation and /tool path will bypass the validation.