ingress configuration snippets disabled by default #6
Comments
|
The snippet is needed for the client certificate to be passed back to Wildfly in a header. Are you aware of another option to use instead of a configuration snippet annotation? |
|
Annotating the ingress controller with Here is the reference: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#allow-snippet-annotations |
|
A PR would be great. Thank you! |
|
Based on this CVE: kubernetes/kubernetes#126811 it's probably not a good idea to enable this feature. |
|
OK so I did a couple of tests with the latest nginx-ingress helm chart https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx I don't know why EJBCS expects the client certificate in that header (upper case). So, if EJBCA will accept the client certificate in the |
|
I have to ask the dev on the header and if this is EJBCA or Wildfly. It would be best to not have to use a different header and keep this simple. |
|
Any update on this? |
|
The header SSL_CLIENT_CERT is what Wildfly expects to see the certificate: https://docs.wildfly.org/26/wildscribe/subsystem/undertow/server/https-listener/index.html This got me into looking at nginx and I learned that https://nginx.org/en/docs/http/ngx_http_ssl_module.html#var_ssl_client_cert I'm not a Java dev, however I think it would require a code change to wildfly to support using the nginx header in addition to the httpd header. https://github.com/wildfly/wildfly/blob/cdd3b79aec95df553c03acc00e68e033e0653fec/undertow/src/main/java/org/wildfly/extension/undertow/ExchangeAttributeDefinitions.java#L549 Otherwise the alternative path would be to run httpd or nginx in the same pod as EJBCA to map the header correctly and then pass the connection to the EJBCA container where Wildfly can access the SSL_CLIENT_CERT header. |
But we are still discussing the Kubernetes Ingress Nginx Controller I'm not a Java dev either so maybe a dev can chip in and clarify what is the best solution. However, rewriting the |
|
One thing I have working now in the helm chart is a load balancer service and an nginx container sidecar for EJBCA. This seems to be working good. Would this option work for you? |
|
Thanks, I can give it a try. Is there a branch I can checkout? |
|
It's merged into the main branch now. The values.yaml would look like this: services:
# not recommended, should only be used for debugging purpose
directHttp:
enabled: false
type: NodePort
httpPort: 30080
httpsPort: 30443
proxyAJP:
enabled: false
type: ClusterIP
bindIP: 0.0.0.0
port: 8009
# recommended, use with nginx in pod with LoadBalancer service or ingress
proxyHttp:
enabled: true
type: LoadBalancer
bindIP: 0.0.0.0
httpPort: 80
httpsPort: 443
# Extra sidecar ports to be added to the service, optionally used when sidecarContainers
# are defined and need to expose ports
sidecarPorts: []
# Requires proxyHttp service to be enabled
nginx:
enabled: true
# hostname used in the commonName of the TLS certificate issued for nginx
host: "myejbcahost.gotsven.com"
# The hostname used to proxy from nginx to EJBCA. When nginx is in the same pod as EJBCA use localhost
proxy_url_host: localhost
service:
enabled: false
type: NodePort
httpPort: 30080
httpsPort: 30443 |
|
Greetings, |
|
The chart should be 1.0.4 in the Chart.yml. Maybe I'm not doing something right that I need to figure out still |
|
I mean you need to tag the release: https://github.com/Keyfactor/ejbca-community-helm/releases |
|
I updated the version now and made a new release. |
|
Hi Sven, |
Since nginx version 1.9 configuration snippets are disabled by default kubernetes/ingress-nginx#10393
This leads to the error:
The text was updated successfully, but these errors were encountered: