Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for EgressMTLS #1180

Merged
merged 9 commits into from
Oct 9, 2020
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions deployments/common/policy-definition.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,28 @@ spec:
type: array
items:
type: string
egressMTLS:
description: EgressMTLS defines an Egress MTLS policy.
type: object
properties:
ciphers:
type: string
protocols:
type: string
serverName:
type: boolean
sessionReuse:
type: boolean
sslName:
type: string
tlsSecret:
type: string
trustedCertSecret:
type: string
verifyDepth:
type: integer
verifyServer:
type: boolean
ingressMTLS:
description: IngressMTLS defines an Ingress MTLS policy.
type: object
Expand Down
20 changes: 20 additions & 0 deletions deployments/helm-chart/crds/policy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,26 @@ spec:
type: array
items:
type: string
egressMTLS:
description: EgressMTLS defines an Egress MTLS policy.
type: object
properties:
ciphers:
type: string
protocols:
type: string
serverName:
type: boolean
sessionReuse:
type: boolean
tlsSecret:
type: string
trustedCertSecret:
type: string
verifyDepth:
type: integer
verifyServer:
type: boolean
ingressMTLS:
description: IngressMTLS defines an Ingress MTLS policy.
type: object
Expand Down
60 changes: 60 additions & 0 deletions examples-of-custom-resources/egress-mtls/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Egress MTLS

In this example, we deploy a web application, configure load balancing for it via a VirtualServer, and apply an Egress MTLS policy.
lucacome marked this conversation as resolved.
Show resolved Hide resolved

## Prerequisites

1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller.
1. Save the public IP address of the Ingress Controller into a shell variable:
```
$ IC_IP=XXX.YYY.ZZZ.III
```
1. Save the HTTP port of the Ingress Controller into a shell variable:
```
$ IC_HTTP_PORT=<port number>
```

## Step 1 - Deploy a Secure Web Application
lucacome marked this conversation as resolved.
Show resolved Hide resolved

Create the application deployment, service and secret:
```
$ kubectl apply -f secure-webapp.yaml
lucacome marked this conversation as resolved.
Show resolved Hide resolved
```

## Step 2 - Deploy the Egress MLTS Secret

Create a secret with the name `egress-mtls-secret` that will be used for authentication to the Secure Web Application:
lucacome marked this conversation as resolved.
Show resolved Hide resolved
```
$ kubectl apply -f egress-mtls-secret.yaml
```

## Step 3 - Deploy the Trusted CA Secret

Create a secret with the name `egress-trusted-ca-secret` that will be used to verify the certificates of the Secure Web Application:
lucacome marked this conversation as resolved.
Show resolved Hide resolved
```
$ kubectl apply -f egress-trusted-ca-secret.yaml
```

## Step 4 - Deploy the Egress MTLS Policy

Create a policy with the name `egress-mtls-policy` that references the secrets from the previous steps:
```
$ kubectl apply -f egress-mtls.yaml
```

## Step 5 - Configure Load Balancing

Create a VirtualServer resource for the web application:
```
$ kubectl apply -f virtual-server.yaml
```

Note that the VirtualServer references the policy `egress-mtls-policy` created in Step 3.
lucacome marked this conversation as resolved.
Show resolved Hide resolved

## Step 6 - Test the Configuration

Access the secure backend with the following command:
```
$ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/
hello from pod secure-app-8cb576989-7hdhp
```
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: egress-mtls-secret
type: Opaque
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVRENDQWpnQ0ZHRUVvSmlwZ2QrdWY4OGI5T0prQ256SHlNMjBNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1HWXgKQ3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOagpiekVPTUF3R0ExVUVDZ3dGVGtkSlRsZ3hEREFLQmdOVkJBc01BMHRKUXpFVU1CSUdBMVVFQXd3TFpYaGhiWEJzClpTNWpiMjB3SUJjTk1qQXhNREE0TURJek5qSXdXaGdQTWpFeU1EQTVNVFF3TWpNMk1qQmFNR0V4Q3pBSkJnTlYKQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpEUVRFV01CUUdBMVVFQnd3TlUyRnVJRVp5WVc1amFYTmpiekVPTUF3RwpBMVVFQ2d3RlRrZEpUbGd4RERBS0JnTlZCQXNNQTB0SlF6RVBNQTBHQTFVRUF3d0dZMnhwWlc1ME1JSUJJakFOCkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW84WnVtQ1drUTQ0ckdwN2tVUU5ZTlRjMk1pMU4KSGp0NmxvQUVYMnUvVjFrN1Zma01qRnpBc0p2TTZoY1FaOFhaN2xJR2RTMUZNL1VlM0VUNFJFRmVqaWxscVJ3eQp3ejBqdjZoWXJ0Q05hbm1UakVmclZnSmxZcTNIa3QvNmluWmFuSmw4WXBCZ0U5bkQ2MFpGWDVybDY3MzdUNUFiCm9oSDZUYnFwVktCTGp3dlVFMXdoLzhFM25ueDNmdEd3Z1BqSGZHUGtqL0RlNmpZNi9vUDBOZFdnUWlFM0dZZEEKc2xkZlQ3NFFzYUxlQno3T3U1TWZyaFpXRlZBWHYvSVoraU9oUjRwNXUzMWY2aXRjb0krNGxrVTdnbUdPeEJwegpmYWV2Nk1MVGV6Ujh2R2Y1WnZVWXVUZ1FkZWVGQnl5ejhGR2lnczM4eURNc25qL1I0WWE4V2UzZ2R3SURBUUFCCk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQW1CRkxydEhzeUs1dlZZZjZraE1ZRDhRZHZCRUh0UjM3ajBlM28KdWJqY3JCdmcwTldma1lkMzhJWVU5VDFvYTJJaVJKdWxFWWRGZVkreHVReERtdUQyb1JpbWpYdDBaN1lhYWVMVwpIbG4zV3pqTU5MUkhGblg4aFFodUpUZWJlNTRMQ2pBM3JLZVkwRWJ4b2lDUTdzd0VGNjV3bkN4OUk2bUlieFZkCnF2MXVOZjBkN3lkbVZ1TFIwc0RiMTE5K3dvRFo2eEpjZDRZN2x6TjV2cjluUDYzR3h0bFIwQm51OGI2a3UzVXAKZnpzdHFFaTlLcFh5Nm54NE5NQ0RDN3htTUFEZldpK1BjSlJTSThSeTVLeVp2ck9FMVRpcjJ3d21iVlAwN3QvNgpSby91RGNZL0VzdUk1VFVNcmU2R3lIS2UrY09YRzRLVytQaDZSMlZjVy9mZ25jRkUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBbzhadW1DV2tRNDRyR3A3a1VRTllOVGMyTWkxTkhqdDZsb0FFWDJ1L1YxazdWZmtNCmpGekFzSnZNNmhjUVo4WFo3bElHZFMxRk0vVWUzRVQ0UkVGZWppbGxxUnd5d3owanY2aFlydENOYW5tVGpFZnIKVmdKbFlxM0hrdC82aW5aYW5KbDhZcEJnRTluRDYwWkZYNXJsNjczN1Q1QWJvaEg2VGJxcFZLQkxqd3ZVRTF3aAovOEUzbm54M2Z0R3dnUGpIZkdQa2ovRGU2alk2L29QME5kV2dRaUUzR1lkQXNsZGZUNzRRc2FMZUJ6N091NU1mCnJoWldGVkFYdi9JWitpT2hSNHA1dTMxZjZpdGNvSSs0bGtVN2dtR094QnB6ZmFldjZNTFRlelI4dkdmNVp2VVkKdVRnUWRlZUZCeXl6OEZHaWdzMzh5RE1zbmovUjRZYThXZTNnZHdJREFRQUJBb0lCQUZxTU9WVXhhcEpYSmdtLwowNmZlMjRRQWxKeEZZNS9WYnIrSzQrQUY2SEpZeVcrTkZKeitJeU1CNE5lRURQUHk5YnpINlA0Y0cyalFtMUZaCmFKSUVPazBMSWtQUGJWbDRraTFDM0ZVNnhSVWJScktHaU55eTBtOHVlV3NCSHJvekdZSC9jai9rWnRwU3lmbG8KanE1L0s2T2RGRGMzQzdBZGxIQXBSYm1lTG1oVlZXWWZKQ2VDb0w0bEF1SHE0SVJ5aThrSnJrYzdrUnh5QUZhbApyQjgvTW5HZzZTWGlJOXdiUUdDMUltb3IxTzFlaC9KNmRhNktPRWMwNTc1ZkJvWFYxcFhORmVHUHdKZmhabU1kCndGU0FyUXVkYVA4SmhqZ0ZqK0s5SG52YllVOGkzYzlPa01pN25YeTBZZ3lrQUd0bDNrQzBZUVU2SHBJRlBXakMKSVdaMHVERUNnWUVBMEZHc3pVQjltYWJJWmFvUndsMEJ2ZUh1Z1QzVEZaVDIwSVVkTmdGWTM1YVZHN3Bpa21YRAp3U2oxREdwczJJYU9heThGTHhxRlpRa0lNVWo1VkFRTDZubWJqdjZZcnJlUlE1WmN0WENCc3hSQkN6TUpaL2lOCmV2NVJaT1p6S2VhZUtjVFUwaFplVUc4RS8zeEJxYlJkNWdSSXEzYi9YQW9KbVIvazhIR2VSbDBDZ1lFQXlVSzcKMlQ0NFV6b0JQaFN3L2NtZk9zN3FEWjBVUHZ0L2N3RWZubytGSHJkTzdsaS9UQmRlTC9vdDE5ZlJ6Ulh6dGZiaAo5VFJCNnpPNWVUYTZ5b2lReDdpVnFGbEtlT0JuMVl5dG5JQ3Zod3NaSHBMZklLMGlvUW9QVFUrdjFnZ3dyR3RQCnk3VHk0dkRYcG1xelZKN25zeDhxSDBVclhjRXBjQkFMY3IyYnJPTUNnWUJ4RWlQdE5IZjRFbUxyYTZoQUN5T0sKNFRzSHczcnpWK3V2dXREa0kwOE43VG41MXV6eDhYS1RRWnZncFZOM0kzSGlFNStJdGFoNThyRVRyenhGc2Z5Vgp4SFArNVlvU0sya1plbC9QeThWYVlqLzd5RFB1enlaYi8vWkdBaCs0T29qV3V4T1pCTE1ralYzMUhvaTFpRVQvCk9Jd0pKWW50ZHpWR2U5MVQ5UmVuc1FLQmdCVklHemtEblUwZnF4WDNkaWUvOURoeHZNb252QVpVN2NzcGFVQ0oKQ0ppUTVhWEtlS0FCTUpKK0wrN05BWUJnTzk4WDloakpwOWJKSjJtcjRlQ2N4RUo2UUVrRytCc0VEN2JESTNDVApJdnh5cmZ0UHFJeDZBbGxwQ09reDdmUUI5Yk9sdlZCYkYvdnJYOEpYTWhOV29rV01uQldtYU1tSExXeU9KY2ZDClNQM2xBb0dBTmtYT2xxa2FuZnJJUkM0aEREZ3BHREEvR052aEJjZTZaUE1YQTlpT2d0cFR5Vk4yVnQ5K1RNZnQKTUV4VVJyUnJzWXZoRUV0UlN4SmRQeG40eUdoL0xhb3F0R1VlTHg3UEUydE1WeW1mamFQd0NCMTk0ZS9YRW9uMgpqamp1Q1N0ZEdTS0kwOEw2R1hVNDJuL3I1Y3BseS9OOVk0ZHpKTmVFbVgzeXUvOUNWcXc9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
12 changes: 12 additions & 0 deletions examples-of-custom-resources/egress-mtls/egress-mtls.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: k8s.nginx.org/v1alpha1
kind: Policy
metadata:
name: egress-mtls-policy
spec:
egressMTLS:
tlsSecret: egress-mtls-secret
trustedCertSecret: egress-trusted-ca-secret
verifyServer: on
verifyDepth: 2
serverName: on
sslName: "secure-app.example.com"
lucacome marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
kind: Secret
metadata:
name: egress-trusted-ca-secret
apiVersion: v1
type: Opaque
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURyVENDQXBXZ0F3SUJBZ0lVRk5raHZnakkrTFhORTlGMkV2Wkk4T0dJUTlrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaApibU5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUlF3RWdZRFZRUUREQXRsCmVHRnRjR3hsTG1OdmJUQWVGdzB5TURFd01EZ3dNak13TkRKYUZ3MHlNREV4TURjd01qTXdOREphTUdZeEN6QUoKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTwpNQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVVTUJJR0ExVUVBd3dMWlhoaGJYQnNaUzVqCmIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEamFtR0ZtYnIwT1ZKUXRaakgKYVAzTmN2WnRYNVFXMW1zYU4wc0ZPOGxLaWpkTmo1V3RVcVlBQThKU2M5VnkyRXB5VVg2NzVFVnpqajZ1Vjg1MwpzT3BvL012NSs1SkJiUmFOUUJOSkJBOW9IeFJLay9VWjRIdVMyQ1pWODYrS1dXYk1yc1J2cE9GeHZzVHZpbTB3ClNPcEdJMjVneW5LQUFnS1BQMHhTbldmKzdwNDJkTDFnbzdnSW1SVVhtamhUV0d0M2pES01SeDBmNWdLTHhuRVAKOVFiUmd6MXlGcGVWdk1VTTZTTzVvd055U2I1NFlPdWo5d3c5bkFGVlN6ckpDRXV5cmQ2TGlnQS9MZkM5QWlLMwpJOEQwUHMxOGxPYWt0Zk5PaGJ2akZsRSsyd3cvazA5MEJYL0gxWUVFSXFhZXZiTTRpRU8yZEh5SXd3WEJ5U2VDCmNDWUJBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlFmeWlQZWVzdGd4OVNVaVcyU0N2LzBYamNHVHpBZkJnTlYKSFNNRUdEQVdnQlFmeWlQZWVzdGd4OVNVaVcyU0N2LzBYamNHVHpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThFT3JXSkkyL0piTlNpb0oyZk5WOUVOMkt1QXc4NFNxMkQ2K3ZWRDM0ClB5bEdSZWVmUkhUWjdNY0N0aWlmNGM0dnFkcURFcHZtR3VGUWVvekxBVHAxOExaZU1WdVJvSERoRVFhZUk0amEKTFlqTk9uL21aU0hGNEp1UzRSSWR0L2pBWnRPaXgwTUljY1RXQi9qNHRDRm5udVhseHhkNFE1YkZmQXF1OWVBSgpCVldnbTQ5RHM4QW9DNmxpWUExT3hQaFJHWGpmQjZDV0FWWitCNnRhNnBBREl6S2IzZmJUNndXaU1hRjBWV3loCm5lUFRUSmVZbGdpelR3V1FDbmRaejB6S0xUejY4eTBuanNJc1ptZXJVVFVZTy9EbXY3MVpMeGtZcVNiVmIrS3oKdFo0TnRQbDl3ZlhHcnAxcnZwRTJmQzB2V0xhVWttdlpXRXZYS2R5NmYrZUMKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
79 changes: 79 additions & 0 deletions examples-of-custom-resources/egress-mtls/secure-app.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: secure-app
spec:
replicas: 1
selector:
matchLabels:
app: secure-app
template:
metadata:
labels:
app: secure-app
spec:
containers:
- name: secure-app
image: nginxdemos/nginx-hello:plain-text
ports:
- containerPort: 8443
volumeMounts:
- name: secret
mountPath: /etc/nginx/ssl
readOnly: true
- name: config-volume
mountPath: /etc/nginx/conf.d
volumes:
- name: secret
secret:
secretName: app-tls-secret
- name: config-volume
configMap:
name: secure-config
---
apiVersion: v1
kind: Service
metadata:
name: secure-app
spec:
ports:
- port: 8443
targetPort: 8443
protocol: TCP
name: https
selector:
app: secure-app
---
apiVersion: v1
kind: ConfigMap
metadata:
name: secure-config
data:
app.conf: |-
server {
listen 8443 ssl;

server_name secure-app.example.com;

ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;

ssl_verify_client on;
ssl_client_certificate /etc/nginx/ssl/ca.crt;

default_type text/plain;

location / {
return 200 "hello from pod $hostname\n";
}
}
---
apiVersion: v1
kind: Secret
metadata:
name: app-tls-secret
type: Opaque
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURZRENDQWtnQ0ZHRUVvSmlwZ2QrdWY4OGI5T0prQ256SHlNMnpNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1HWXgKQ3pBSkJnTlZCQVlUQWxWVE1Rc3dDUVlEVlFRSURBSkRRVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOagpiekVPTUF3R0ExVUVDZ3dGVGtkSlRsZ3hEREFLQmdOVkJBc01BMHRKUXpFVU1CSUdBMVVFQXd3TFpYaGhiWEJzClpTNWpiMjB3SUJjTk1qQXhNREE0TURJek16UXlXaGdQTWpFeU1EQTVNVFF3TWpNek5ESmFNSEV4Q3pBSkJnTlYKQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpEUVRFV01CUUdBMVVFQnd3TlUyRnVJRVp5WVc1amFYTmpiekVPTUF3RwpBMVVFQ2d3RlRrZEpUbGd4RERBS0JnTlZCQXNNQTB0SlF6RWZNQjBHQTFVRUF3d1djMlZqZFhKbExXRndjQzVsCmVHRnRjR3hsTG1OdmJUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxCRHRtM0sKekJQQkVCOEtRclY1QVArYmtQaVppd0oveTBoVWZKVWVodTFvYWNWQlJ2NDJaMFJzVm8wWWhMeFpLMmVNZmpNRgpLRXI3UHhKS3ppSHd5VjNCZUhyOWNYUHZLeGkxOVMwbm9JazhSUWZNRm4zZC9Db0pPaDdwd2xOMkZ6NWhhS1hLCmJIUWdEN1c5cWZYbG9FMXJlNUlIeEVSZmx2cVFKUnZQUzZJcU5aZ1VaRlhKa3hrRU1sMUFvYnZtTHZUeWpoL04KaG5YVWhRSWZDVjBRRFlvempWMXduallBOW00RVJMM1JGNDBrNXBKWUZ1OWNVcTlydHJRNFREdU1tVzZ4VkZIVQpIZFhoRDlDVFBLTUcwa0VCV241em5ySzdqelFrMTdiUVpvOHpWUUVFY2tnMGM0T3dPaXY4WnNJRlhUZE9hTVJLClMvL3p4ZjUwNFVBLzRMRUNBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQVh4NXZEdFkrSGhDUzRDdW8KajdhZXdJQ0tKNVN1eVRuK1dTWFl5bkg4cDY1Mm5ZVFZZTnRHMnhCODdGbEdSd1prZnZKQjUraG1RRVZDSmZJUwpFUTU5cFlkVmI5TDJVbXhlSVN6MmRZVFdkbDltTWp0bFJuVXBQWjljU3poRTlrK2ttYzlKVWMwQVk4cmpaQ05qClI0Z2M0dzVLaS96WXpUdkFTQ2ozVmx0a0VkNUpac2Y1bmkydEtvaE1YVS9rNjFOY2JiQXNaM28vK0Y2NGg2bFoKZzg3UzZvVDJTV1VSQmxWUEJXNzlrTVNmL0FjdXZmQS9lOERZQVR5MTFubmVqRFFLMmF2WkxMbEZrSjFPRGtmOQplc0tuUGdhUTNkak9JRzhueXhRRFB1cmVkaEhyb0pWaC90T2xnOU5jRis2TTh1cG1uNXMzWnMwRDdOTkViWEhpCi9Uc09Qdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBc0VPMmJjck1FOEVRSHdwQ3RYa0EvNXVRK0ptTEFuL0xTRlI4bFI2RzdXaHB4VUZHCi9qWm5SR3hXalJpRXZGa3JaNHgrTXdVb1N2cy9Fa3JPSWZESlhjRjRldjF4Yys4ckdMWDFMU2VnaVR4RkI4d1cKZmQzOEtnazZIdW5DVTNZWFBtRm9wY3BzZENBUHRiMnA5ZVdnVFd0N2tnZkVSRitXK3BBbEc4OUxvaW8xbUJSawpWY21UR1FReVhVQ2h1K1l1OVBLT0g4MkdkZFNGQWg4SlhSQU5pak9OWFhDZU5nRDJiZ1JFdmRFWGpTVG1rbGdXCjcxeFNyMnUydERoTU80eVpickZVVWRRZDFlRVAwSk04b3diU1FRRmFmbk9lc3J1UE5DVFh0dEJtanpOVkFRUnkKU0RSemc3QTZLL3htd2dWZE4wNW94RXBMLy9QRi9uVGhRRC9nc1FJREFRQUJBb0lCQVFDYlZFQjZSbUZLOHpLYQp0L2NMWnNQTGZMTG5jSitBcDA5andSZzhiTGRvbFQvSVZYc1RZS3ZtTHphaWhqM0tvU1hQelk0VXRmSEpDZG1OCjdCLzA1dlQ4eXhhNkE0Z3NLMUttSndzVkxMdWExR0xjdVN3RTVVOW5WOVJCRTZ4czBqOHZlTFc0akViQW10UmQKU3ZOd3YxZGhnbHRWMThSTW9KUXk0RDNqWU96OHpKQ3JLR0hKdHVxbmVBVVBZRW5TMGIrQmRHT2IrNFZ0V1VMUwpERXBwQnVWaHpSYzB6V0VqaytNWkVhS2JkaFJiOTFIM2VnMXoreEV6VWRzT3lhNmF6SFpuY1ZHWmRZOXlKbnlZCm54cVZ0TFNYWEtLb0JNa0twdFdPcXppaVJLOUU3REFDeHc3bm1ySGFRMVU3RThBQjhEbVM4V3o1ZjVYS1d5c2wKRjhxdWxUekZBb0dCQU45WXRyWnVLWURSM085ME45QlVYeUROcGNQS01zOG4wd2VIeFNHY29OdFF4Rk9zejJCYwpWZTJ5NTNadzYwaUhhTy9kV1VaZGc0Y1cwNEs3TVJWSTR5VzRHWGQ1Vzc0VTlOSDNSckZWTmFNM1IwRzVtRSs3CjZYU0pxOCtkZXZOeGRqeUFyY2pIMy9HMTFZMHh6T3ZmMGc1THRDUGV6ci8xUGtKNHludHNJbU9QQW9HQkFNb0kKMXVVMTlmTEUwUXNvcWZRYVZhSk9SY0JCM1hjK2pPeG9sK3FTNnhpcjNiNjkwSCtobTZaVnJsQnFvMHIyem5HYwowS2hiTytyNUpZOG5oT2orS2haU1hnbk9vUVNDSktsb05zdnJlMEp4cFR5TkQ0blFsS1BNRlE5dXo5NW9BR2YyCkpsUm1ZekRCNHBxQ1M0MCt2cU5jcUdvRk5xOHBnZVhFUkx4SUhsZS9Bb0dBT2o3RmIyL3RMT1lONnZodzhjaC8KQW12KzliOU9YczJ3Ny83TlB3Vzh3VlVmemY1OEdsSWFLcUlFVU5RRDErZFFTM1Y3S2FtTGVuaE9jb0prdTN0RgptWG1ZVXByNGZPcTBLZW1GcXd0Z3NJN2k2MVgrVFpUZ3ZmNkZLdUNUeHRicEVjQXhFZkptQ1gvMUVCeFRwNU80CkVQaFhJeCtnNVZpTWd3TkRNc3F4Y1NzQ2dZRUF2MzNUV1Z0azY1NmEySzNKTUlJSmFwWXZ6SU5oU3hXeGNwM00KWjl5ckVpNU1OZThwZ04rSGJRZkcrWmVwZ0hNZngxV3YrL0xGZnZoNUhnK0NEV2hpTWRnT0k5T0NrSWhlQVdleQprR040NThoWnFtTzFONVhJWE53aGxnZ2M1QnZGVHNSakhob1JwL1FOT1ErSVZxOEMrRW5wb3R1Z01qUHdWL3hJCmZnRUpLWGNDZ1lBRzNvb0dIdG9ZbnlQd0hkSXJmWUpEMHRnTDJjL054bnE3MVYvTGVpRE1pdjhmMGp1dXU2ckMKb2xqN3ZGalEvQUdQeXZBV3p5WTVzd3crcUVHOWNTRG91WFFNMkJ1MXc3aHVxMkR4cWM3STl6TzJEZVMzVDBIbgpjWWxQaXVuY1FjUWsyTFpTOCtWTE85RDVYQmdOT1BSSnd2NU1PcytTUUVadGJMd2J3ZWh6M0E9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURyVENDQXBXZ0F3SUJBZ0lVRk5raHZnakkrTFhORTlGMkV2Wkk4T0dJUTlrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1pqRUxNQWtHQTFVRUJoTUNWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaApibU5wYzJOdk1RNHdEQVlEVlFRS0RBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUlF3RWdZRFZRUUREQXRsCmVHRnRjR3hsTG1OdmJUQWVGdzB5TURFd01EZ3dNak13TkRKYUZ3MHlNREV4TURjd01qTXdOREphTUdZeEN6QUoKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWphWE5qYnpFTwpNQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVVTUJJR0ExVUVBd3dMWlhoaGJYQnNaUzVqCmIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEamFtR0ZtYnIwT1ZKUXRaakgKYVAzTmN2WnRYNVFXMW1zYU4wc0ZPOGxLaWpkTmo1V3RVcVlBQThKU2M5VnkyRXB5VVg2NzVFVnpqajZ1Vjg1MwpzT3BvL012NSs1SkJiUmFOUUJOSkJBOW9IeFJLay9VWjRIdVMyQ1pWODYrS1dXYk1yc1J2cE9GeHZzVHZpbTB3ClNPcEdJMjVneW5LQUFnS1BQMHhTbldmKzdwNDJkTDFnbzdnSW1SVVhtamhUV0d0M2pES01SeDBmNWdLTHhuRVAKOVFiUmd6MXlGcGVWdk1VTTZTTzVvd055U2I1NFlPdWo5d3c5bkFGVlN6ckpDRXV5cmQ2TGlnQS9MZkM5QWlLMwpJOEQwUHMxOGxPYWt0Zk5PaGJ2akZsRSsyd3cvazA5MEJYL0gxWUVFSXFhZXZiTTRpRU8yZEh5SXd3WEJ5U2VDCmNDWUJBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlFmeWlQZWVzdGd4OVNVaVcyU0N2LzBYamNHVHpBZkJnTlYKSFNNRUdEQVdnQlFmeWlQZWVzdGd4OVNVaVcyU0N2LzBYamNHVHpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThFT3JXSkkyL0piTlNpb0oyZk5WOUVOMkt1QXc4NFNxMkQ2K3ZWRDM0ClB5bEdSZWVmUkhUWjdNY0N0aWlmNGM0dnFkcURFcHZtR3VGUWVvekxBVHAxOExaZU1WdVJvSERoRVFhZUk0amEKTFlqTk9uL21aU0hGNEp1UzRSSWR0L2pBWnRPaXgwTUljY1RXQi9qNHRDRm5udVhseHhkNFE1YkZmQXF1OWVBSgpCVldnbTQ5RHM4QW9DNmxpWUExT3hQaFJHWGpmQjZDV0FWWitCNnRhNnBBREl6S2IzZmJUNndXaU1hRjBWV3loCm5lUFRUSmVZbGdpelR3V1FDbmRaejB6S0xUejY4eTBuanNJc1ptZXJVVFVZTy9EbXY3MVpMeGtZcVNiVmIrS3oKdFo0TnRQbDl3ZlhHcnAxcnZwRTJmQzB2V0xhVWttdlpXRXZYS2R5NmYrZUMKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
16 changes: 16 additions & 0 deletions examples-of-custom-resources/egress-mtls/virtual-server.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: webapp
spec:
host: webapp.example.com
upstreams:
- name: secure-app
service: secure-app
port: 8443
routes:
- path: /
policies:
- name: egress-mtls-policy
lucacome marked this conversation as resolved.
Show resolved Hide resolved
action:
pass: secure-app
Loading