Docs: Update documentation of auth-tls-match-cn annotation to add possible check on all DN fields #11842
Labels
area/docs
kind/documentation
Categorizes issue or PR as related to documentation.
lifecycle/frozen
Indicates that an issue or PR should not be auto-closed due to staleness.
needs-priority
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
Hi All,
I have just a small suggestion to improve/complete the documentation of auth-tls-match-cn annotation.
The doc mentions that the annotation is used to add a sanity check on the CN of the client certificate during an mTLS handshake.
However, the sanity check may also apply to other fields of the DN of the certificate like "OU" and this might be very handy when performing checks on a group of certificates based on "OU" (group of certificate belonging to an Organizational Unit) or other criteria.
So for example, the annotation may have the following value to accept only certificates whose DN contains "'OU=FOO,OU=BAR'"fields
nginx.ingress.kubernetes.io/auth-tls-match-cn: "'OU=FOO,OU=BAR'"
This type of check is already working, having tested it recently, and the code shows indeed that the condition applies the DN, not only CN:
Refer to https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl#L1016
Would it be possible therefore to update the annotation documentation to add these possible checks?
Thanks,
/kind documentation
/remove-kind feature
The text was updated successfully, but these errors were encountered: