NGINX: enable / document configuration of trusted CAs for backend TLS
Summary
Related to #3383 (closed) && !2628 (merged), spawned from this discussion.
We need to ensure a method to configure the NGINX Ingress Controller pods to consume custom CAs. This impacts the use of TLS behind it, when verifying backend TLS.
Related documentation from `ingress-nginx: Backend Certificate Authentication
nginx.ingress.kubernetes.io/proxy-ssl-secret: secretName
: Specifies a Secret with the certificatetls.crt
, keytls.key
in PEM format used for authentication to a proxied HTTPS server. It should also contain trusted CA certificatesca.crt
in PEM format used to verify the certificate of the proxied HTTPS server. This annotation expects the Secret name in the form "namespace/secretName".
nginx.ingress.kubernetes.io/proxy-ssl-verify
: Enables or disables verification of the proxied HTTPS server certificate. (default:off
)
Valid values are on
and off
according to upstream NGINX documentation for proxy_ssl_verify
.
Versions
- Chart: 138c146a, all
Acceptance
-
Discover the appropriate means to configure this feature set, and any particulars that create complexities / limitations. -
Document the configuration that enables TLS to the backend (see findings) - !2680 (merged)