Adds strict match annotation + updated tests/docs

[chrisshino]

What this PR does / why we need it:

This officially closes: #8330, this patch is needed to satisfy some of the feedbacks received on the original branch that was already merged in.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation only

Which issue/s this PR fixes

How Has This Been Tested?

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I've read the CONTRIBUTION guide
• I have added tests to cover my changes.
• All new and existing tests passed.

[k8s-ci-robot]

Hi @chrisshino. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[chrisshino]

#8434 In this pull request James mentions a few things that would improve this annotation and I implemented them.

1. Pulling out the CN from the client certificates DN (this has been done, meaning no longer do we have to add "CN=" before the regex or string to match.
2. Having an option to choose between either a strict match or regex match (these have both been implemented here)

[rikatz]

let's not deprecate an annotation. Instead, the old behavior should be called this way, and the new one can have a new name

[chrisshino]

makes sense! I will keep the original one here as the regex version, and then only add a new one for the strict mode!

[rikatz]

why is this being downgraded?

[chrisshino]

these must have happened after I did a go mod tidy, im not sure why Ill make sure they are the same as before!

[rikatz]

why is this being downgraded?

[rikatz]

please don't ignore the error here

[rikatz]

Is there any priority here? Like exact > regex? If so, we should early exit if there's an exact match, otherwise try the regex.

[chrisshino]

since they are essentially 2 different annotations there isn't necessarily a priority.

[rikatz]

I want actually that we validate if this is a valid regex per NGINX and not just add it to nginx.conf.

Based on the feedbacks, do we have a common pattern of required strings, like " REGEX = domain.*" or something like that, in a way we can sanitize/remove possible dangerous characters?

If so, let's do this (in both fields actually, we should validate what character set is allowed here)

[chrisshino]

hmm yea we can do this, I think it will always something like domain.*, but for example say the person wanted to use a regex match and the CN was = "my.example.com" and their regex only contained "example", would it fail because it doesn't have a dot after?

Or what if the domain contains numbers? Any suggestions on what a good pattern could look like here? probably something that contains letters, numbers or dots, but no other characters (for example, brackets "<", ">" ?

[rikatz]

@chrisshino thanks for the PR!

I've left some comments here, happy to discuss about it.

Thanks

[chrisshino]

@rikatz thank you for the thorough review 🙏 , I believe this should address your comments

[chrisshino]

hmm so whenever the e2e test runs, the go mod is switching those 2 dependency that you called out above to the lower versions?

Then it is failing, not sure why?

[iamNoah1]

/triage accepted
/priority backlog

[iamNoah1]

/kind bug

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[rikatz]

@chrisshino 👋 long time no see, sorry!
So I've left a comment on fixing the exactMatch vs Match, remember? if you implement this, I will gladly approve and merge the PR :)

Thank you!!!

[rikatz]

/lifecycle active

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: chrisshino / name: Chris Shino (106af0f, 2c0f3f7)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: chrisshino
Once this PR has been reviewed and has the lgtm label, please ask for approval from rikatz by writing /assign @rikatz in a comment. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[chrisshino]

/assign @rikatz

[chrisshino]

@rikatz okay so it looks like in all the back and forth I had made a git mistake and pushed the wrong thing, I have since updated that and pushed all my actual fixes that addressed your issues!

For some reason my CLA is still failing because of a commit message? I dont want to mess with git anymore than I have already lol do you know a good way of fixing this? Then this PR should be good to go!

Thanks again and sorry it took so long

[rikatz]

ah yeah, the joys of git :D been there, had the same problem as you, so let's map them:

1. The commit error message is because on one of your commits you added my handler (I saw something like @rikatz comments etc)
2. If by some reason you changed your email during commits, CLA gets kind of crazy. You can even add your other emails on your github profile, or rebase here

To rebase:

• Make a backup of your git folder (in the end, if all goes wrong you can just copy over it! but really, do a backup)
• git remote add upstream git@github.com:kubernetes/ingress-nginx.git
• git rebase upstream/main
  • If there are some conflicts...welll..We can zoom some day so we can look into conflicts and cry together
• If no conflicts, do a "git log". Your commits should be the last ones, over something like upstream/main
• Take the hash of were upstream/main is (like b02130912321c0aa)
• git rebase -i the_hash_above
• A vim/nano will open
• First line you keep as is
• The rest of lines where is written "pick" you replace for the char "f"
• If you do git log again, now all your commits turned into one
• git push origin branch-name -f

Helps? :D Otherwise, we can see what to do.

[chrisshino]

@rikatz wow thanks for the step by step instructions!!

Looks like everything should be good now, its just running through CI stuff but I have the correct tags now

[k8s-ci-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sherifkayad]

@chrisshino @rikatz
I would like to report a bug in the previous implementation #8434 (I am currently using controller version 1.8.1) and that I would kindly like to see addressed by this PR. Referring to the comment here #9250 (comment)

Long story short: the combination of using ACME (e.g. letsencrypt) to issue a server cert + using client auth certs on ingress-nginx together with nginx.ingress.kubernetes.io/auth-tls-match-cn: "CN=my-cn" would result in a problem that the ACME cert can not be obtained. The reason here is that the CN check also runs for http which is wrong in my view and must only be performed when the scheme is https. As a workaround / mitigation I stopped using the nginx.ingress.kubernetes.io/auth-tls-match-cn annotation and instead I have a server snippet annotation as follows:

nginx.ingress.kubernetes.io/server-snippet: |
      set $CERT_CHECK "";
      if ($scheme = https) {
        set $CERT_CHECK "HTTPS";
      }
      if ($ssl_client_s_dn !~ "CN=my-cn") {
        set $CERT_CHECK "${CERT_CHECK}_NOCNMATCH";
      }
      if ($CERT_CHECK = HTTPS_NOCNMATCH) {
        return 403 "client certificate unauthorized: $ssl_client_s_dn\n";
      }

In my view, the check using the auth-tls-match-cn should be enhanced to be something like the logic I pasted above.