Kubernetes's Ingress annotations for x509 certificate authentificate

Question

I'm trying to use kubernetes ingress annotation rules in order to enable X509 authentication. My ingress yaml file is defined below:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: bdf-opengie-test
  name: keycloak-opengie-test-ssl
  labels:
    app: keycloak-opengie
  annotations:
   nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
   nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
   nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
   nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
  rules:
  - host: keycloak-opengie-test-ssl.bdf-clu4.paas.eclair.local
    http:
      paths:
      - path: /
        backend:
          serviceName: keycloak-opengie
          servicePort: http
  tls:
   - hosts:
     - keycloak-opengie-test-ssl.bdf-clu4.paas.eclair.local

When I invoke my application url, I'm expecting to see a popup requesting for a certificate, but nothing happens. It seems like the annotations has no effect in the ingress definition. Can someone tell me what's going wrong in my ingress definition. I'm using Nginx Ingress: 0.15.0 and Kubernetes 1.10.5

Answer 1

First of all you are missing the secret with SSL files issued for your domain. (if we are talking about a native k8s secret management) You secret should be created by:

kubectl --namespace bdf-opengie-test create secret tls <secret_name> --key <key_path> --cert <cert_path>

Then your Ingress .yml file should contain this secret:

 ...
 tls:
   - hosts:
     - keycloak-opengie-test-ssl.<domain>
     secretName: <secret_name>

Only after this you can think about any annotations for auth or something else which is not working

Note: the secret is a namespaced object.