# Ingress MTLS
Ниже приведен пример развертывания веб-приложения, настройки балансировки нагрузки с помощью VirtualServer и применения политики Ingress MTLS.
#### NOTE
Политика Ingress MTLS поддерживает настройку списка аннулированных сертификатов (CRL).
Подробности см. [Использование списка отзыва сертификатов](https://angie.software//anic/docs/configuration/policy-resource.md#cert-revocation).
## Предварительные действия
1. Установите ANIC.
2. Сохраните публичный IP-адрес ANIC в переменной оболочки:
```console
$ IC_IP=<ваш_IP-адрес>
```
3. Сохраните HTTPS-порт ANIC в переменной оболочки:
```console
$ IC_HTTPS_PORT=<номер порта>
```
## Настройка Ingress MTLS
1. Создайте Deployment и Service для приложения:
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 1
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
containers:
- name: webapp
image: angiesoftware/angie-hello:plain-text
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: webapp-svc
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: webapp
```
Примените настройки:
```console
$ kubectl apply -f webapp.yaml
```
2. Создайте секрет с именем `ingress-mtls-secret`, который будет использоваться для валидации Ingress MTLS:
```yaml
kind: Secret
metadata:
name: ingress-mtls-secret
apiVersion: v1
type: angie.software/ca
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQvVENDQXVXZ0F3SUJBZ0lVSzdhbU14OFlLWG1BVG51SkZETDlWS2ZUR2ZNd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2dZMHhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeQpZVzVqYVhOamJ6RU9NQXdHQTFVRUNnd0ZUa2RKVGxneEREQUtCZ05WQkFzTUEwdEpRekVXTUJRR0ExVUVBd3dOCmEybGpMbTVuYVc1NExtTnZiVEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVhM1ZpWlhKdVpYUmxjMEJ1WjJsdWVDNWoKYjIwd0hoY05NakF3T1RFNE1qQXlOVEkyV2hjTk16QXdPVEUyTWpBeU5USTJXakNCalRFTE1Ba0dBMVVFQmhNQwpWVk14Q3pBSkJnTlZCQWdNQWtOQk1SWXdGQVlEVlFRSERBMVRZVzRnUm5KaGJtTnBjMk52TVE0d0RBWURWUVFLCkRBVk9SMGxPV0RFTU1Bb0dBMVVFQ3d3RFMwbERNUll3RkFZRFZRUUREQTFyYVdNdWJtZHBibmd1WTI5dE1TTXcKSVFZSktvWklodmNOQVFrQkZoUnJkV0psY201bGRHVnpRRzVuYVc1NExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTgpBUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTmFINVRzaTZzaUFsU085dEJnYmY3VVRwcWowMUhRTlQ2UjhtQy9pCjhLYXFaSW9XSUdvN2xhTW9xTDYydTc4ay9WOHM2Z0FJaU1DSzBjekFvTFhNSnlJQkxQeTg4Yzdtc2xwZXgxTkEKVmRtMkVTVkN6bVlERE1TT3FpVmszWmpYeC9URmo2QzhNRFhhRkZUWFg1dWdtbWdscnFCWlh0OVI5VVBwVTJMNwo1bEZ0NlJ2R3VGczgvbVZORVR5c1A0SFhCWlh2ZE9mdG1YWUkvK01hOW5CMzIzNjdmcTI0L0RKZ2YvK2xRbUsxCkJLR3poSTZSc1pSSmdWOXdpK1VuZTBYNjlaS2lLOFdXU3lZS252YnRrcHZuTDA2dGNJaXJZNi80UzZ4Sm1HRVQKZEJUNmVxc0NoSUpQUStWSEp5dTROdnV6WmVCUXpGdmMwNytnUGZkVWZra1FXODhDQXdFQUFhTlRNRkV3SFFZRApWUjBPQkJZRUZKUGdhcnFYa00rdEJ0djVhdndTUWhUQmpTU2VNQjhHQTFVZEl3UVlNQmFBRkpQZ2FycVhrTSt0CkJ0djVhdndTUWhUQmpTU2VNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUIKQUl3WXpoY0s4OWtRL0xGWjZFRHgrQWp2bnJTVSs1cmdwQkgrRjVTNUUyY3pXOE5rNXhySnl0Y0ZUbUtlKzZScwpENHlxeTZSVVFEeWNYaDlPelBjbzgzYTBoeFlCZ1M5MWtJa25wYWF4dndLRDJleWc3UGNnK1lkS1FhZFlMcUY0CmI3cWVtc1FVVkpOWHdkZS9VanRBejlEOTh4dngwM2hQY2Qwb2dzUUhWZ21BZVpFd2l3UzFmTy9WNUE4dTl3MEkKcHlJRTVReXlHcHNpS2dpalpiMmhrS05RVHVJcEhiVnFydVA4eEV6TlFnamhkdS9uUW5OYy9lRUltVUlrQkFUVQpiSHdQc2xwYzVhdVV1TXJxR3lEQ0p2QUJpV3J2SmE3Yi9XcmtDT3FUWVhtR2NGM0w1ZU9FeTBhYkp0M2NNcSs5CnJLTUNVQWlkNG0yNEthWnc3OUk2anNBPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
```
Примените настройки:
```console
$ kubectl apply -f ingress-mtls-secret.yaml
```
3. Создайте политику с именем `ingress-mtls-policy`, которая ссылается на секрет из предыдущего шага:
```yaml
apiVersion: k8s.angie.software/v1
kind: Policy
metadata:
name: ingress-mtls-policy
spec:
ingressMTLS:
clientCertSecret: ingress-mtls-secret
verifyClient: "on"
verifyDepth: 1
```
Примените настройки:
```console
$ kubectl apply -f ingress-mtls.yaml
```
4. Создайте секрет с TLS-сертификатом и ключом:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: tls-secret
type: kubernetes.io/tls
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3SUJBZ0lVWU90ZXQ1cnpjd2pFMlo1QUQzQS9tdVJFVzRRd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hURWJNQmtHQTFVRUF3d1NkMlZpWVhCd0xtVjRZVzF3YkdVdVkyOXRNQjRYRFRJd01Ea3lPVEl5TVRrMQpPVm9YRFRNd01Ea3lOekl5TVRrMU9Wb3dIVEViTUJrR0ExVUVBd3dTZDJWaVlYQndMbVY0WVcxd2JHVXVZMjl0Ck1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBeU5odlg5emoraGZvN0V2TzBsNlkKNzNUTGdMZEUzWWRGcURRT1RrL3JuajhzeWRPSUdrQ0IxR0VDcHAxcmc3bk9wTWVUNHovRlNsbzQ1TzJKWWRUNQplMC9YVWRkUk9JYytoS0V3NzNoejZjc2Fjd25NdjZzZWE2UDBSY1ZDQU1pdkZoeG9sWGRDUnlsZVdrVXczd29KClFRZFozNEZCQlFoVjFvMThHeGViWWFCTjF3bjMxdXZ4ZUxqMjVyQThKOUZjWElTQzJvMGpIZmZkSTFJamJjUHUKVlhJZkh0NFVMcHpnZlpQUVVnYzUrL3BkYVVRL0JHdkdiQ3o0cnBVbzhCQnQ2N0U5RlVoVE8vYnZnU1ljQ1A4dQpvTU9uY2hyNjZMSzJ3WE82ZWQyVHR4VmQySGJZRW5TRjFFZGRqZDdRQjJMUVoxUDJBbERBZll3YmZ3R3VMVGNhCjh3SURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVLOXlpL0tRQXp6SjRCcHdESndGTWF1cDJCREF3SHdZRFZSMGoKQkJnd0ZvQVVLOXlpL0tRQXp6SjRCcHdESndGTWF1cDJCREF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcQpoa2lHOXcwQkFRc0ZBQU9DQVFFQWVuSFIybDJVNWdNQTMyek9YY2dDeTE0RXU3S2p3ayswRzFWbkNxU1IrMmhyCjdUSHVBVDRUSGpGYzFDWDQ4YXBiLzdwV3lJVlZoZ2IybXFMSDZTZlRWOEJtMEdLZUkyUU9VSVpZb2ZJeHZMeEMKRjRzd3FLVFc1SmgyUWJ2M3owN2hvTmpSZmR0WG1GS0pUWUZzS05WN3oyMVo4WWlFQ1o4NVMwRHpoU3BaSnk3MwpkdEV5NXlsVUZvb0JyeklzajFxRHlVZ2Zlck84TkZ3b2RlNDg4QThNMVNQNWZOOTBmSHZHRU9qRzdubG1IZDJJCkdvYkd2Z0kvT3l3RWVPMVFzdEFWckVtZVRvU0ZudStxZ09iUEpxRVFETExRS21SNkRNNzI5bkw4RXRIekZwTlkKZFcxeThRdkZxVm0yN1ZVdk8ybEduM0JUUmt0dWxSckJ3Sm9hQmF3TSt3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRREkyRzlmM09QNkYranMKUzg3U1hwanZkTXVBdDBUZGgwV29OQTVPVCt1ZVB5ekowNGdhUUlIVVlRS21uV3VEdWM2a3g1UGpQOFZLV2pqawo3WWxoMVBsN1Q5ZFIxMUU0aHo2RW9URHZlSFBweXhwekNjeS9xeDVyby9SRnhVSUF5SzhXSEdpVmQwSkhLVjVhClJURGZDZ2xCQjFuZmdVRUZDRlhXalh3YkY1dGhvRTNYQ2ZmVzYvRjR1UGJtc0R3bjBWeGNoSUxhalNNZDk5MGoKVWlOdHcrNVZjaDhlM2hRdW5PQjlrOUJTQnpuNytsMXBSRDhFYThac0xQaXVsU2p3RUczcnNUMFZTRk03OXUrQgpKaHdJL3k2Z3c2ZHlHdnJvc3JiQmM3cDUzWk8zRlYzWWR0Z1NkSVhVUjEyTjN0QUhZdEJuVS9ZQ1VNQjlqQnQvCkFhNHROeHJ6QWdNQkFBRUNnZ0VBZTJ5V05PRDNzRzhWRW5FYnJpZTM4QjlrRjd1SU5HSzJxY0Vqc1hobm9SM04KbGxISjUrZ1FZTVVrN2VMN2VUMnNBWk1zREpEWjJ2RksyVlFvQXRqd1g1a1hCeEk4dFhKWE53WWZubW4xUVkwdwp1ZFVoMy85MmVFdVBCM2xMTUZRalZJRXN1LzFIMjVkT2hrYlMyNTI5UmhzUVhjdCtlMnM5NU5XWm1NU1BGaFJuCnJMeFFpSzFiTWJxcHVHRlUzSXYwd3ZVd2dQdjFUQkhYSzAzOFZ0WGtMLzFpVVNLWVBJOHQ3QmUrUTI0cklsVXkKK01BQ3pPdWpabWduWXFpYUJ5ZFNJeDJRM3VtUTFyL2hOMG5FbkNMdnNRSVZiVlhpTFZvQkpzenJCMEgyREI2cQphR096WHlGeG1HQ2JkbWpCaTlwb1FybEtmR2JwdWpIYnJmNmU0MWRZVVFLQmdRRHlueXBxdmFZaExSTXMwZTVFClhHcStIZ2lLZnlWbnNYd2RMUWF3ajRHTkF1WEtpaXBvNU5nb3IyNFN4NGIzejNuZ1QxalprbE40VlpxcUNFQmYKMno4S2o4VWREVS9BRzZwaDhITSszUEtUWXNOcElWdi9SbSs4cktPbU9uSGZJaWpGNDdvU0dyT3RVWnVyY2xXZQpjMkZuaHhiTHdISnZHYzd2VDV6VDlNTFMvd0tCZ1FEVDY0N0Q1ZFpDTllQcytLNU9Ub1JFNFJIdlpMSUdUWHRwClZEa2Vjdis3aUxoNis3aTFHRjZuMTZ2cEJrSXRmOXUvRk9SRVpoM1lpQk5Fcy93bGl6NHRVNDhrbDQrRVNjYlcKdUh2ZVY1NktBUHI2UGM3ajBJK1lMSXdoTURqMXVPSnV2eW9iSFJZQlJPajVGd3YvUk81ME9LdytLdXpwV2s4QQoxY1FYakVHY0RRS0JnRTRUam5EZkt2RU9NbGVBRHk4TWxvVXI0US9BcnViWnBOazJ2aXBmWkE5ZTJWZitjbnRpCitYVE9UNXZYZmNXTmpPajBYK0ZVUjJ3NEVCZWJwQ3Uwd0dyRHJXa1YrWTRXMlJPL2J6YlJuM1p5bC9QaStsb0IKN3I5R3h6c2RIN3Z3b0RKZWdHaUhFejg1UGVGRVgrMG5zRGJDc0VGTll3WUJ4aWdZOUp6NDdTRTlBb0dCQUozZgpzM2kvSlpJbmVnTzA4MjNFMG9iWndWbTlnMTVzcEk3QVB0a3ZSTks1dE8xeHo1V2g5UXBIQW52VHZNTldxQ2MrCjhocitsQ2Qyb0J3amxhbUdoU2lSUW1jNVBhS0lyOGZRb2Y3dStWM0lBekVma0p4cENFQ09sMG8yT1lqZFZscTQKc1M2SHlaZmlkVWp6NFcwbk5obUJDdGc1ZEVzWGl4bU5Kc3VBSW5TVkFvR0FIY0J0UUZ2QW9vUTNjbDdMME5GVAo4c0cvR04wbnRGdXJveE5oTlhaS3hYMGYrUXBWcHJFaTlybU13WXE1WXc3Z2lqZWdNNURUbUdFcHIvc1FNZmUyCjZYbjU5NmlLSFZ4NCtBZE90dnc5NnhlTm56S2syOVdrTENzbG4vZ2lETWJCcHowNFhDZ1h3TitEZXg3emVHSGkKNXFpWlpJSlNlS0gvR3BWcno5MEE3eU09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
```
Примените настройки:
```console
$ kubectl create -f tls-secret.yaml
```
5. Создайте ресурс VirtualServer для веб-приложения:
```yaml
apiVersion: k8s.angie.software/v1
kind: VirtualServer
metadata:
name: webapp
spec:
host: webapp.example.com
tls:
secret: tls-secret
policies:
- name: ingress-mtls-policy
upstreams:
- name: webapp
service: webapp-svc
port: 80
routes:
- path: /
action:
pass: webapp
```
```console
$ kubectl apply -f virtual-server.yaml
```
#### NOTE
VirtualServer должен ссылаться на политику `ingress-mtls-policy`, созданную на шаге 3.
6. Протестируйте конфигурацию.
Если вы попытаетесь обратиться к приложению без предоставления клиентского сертификата и ключа, ANIC отклонит запрос:
```console
$ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP \
https://webapp.example.com:$IC_HTTPS_PORT/
```
Ожидаемый ответ:
```html
400 No required SSL certificate was sent
400 Bad Request
No required SSL certificate was sent
Angie/1.8.1
```
Если вы предоставите корректный клиентский сертификат и ключ, запрос выполнится успешно:
```console
$ curl --insecure --resolve webapp.example.com:$IC_HTTPS_PORT:$IC_IP \
https://webapp.example.com:$IC_HTTPS_PORT/ --cert ./client-cert.pem --key ./client-key.pem
```
Ожидаемый ответ:
```console
Server address: 10.244.0.8:8080
Server name: webapp-7c6d448df9-9ts8x
Date: 23/Sep/2020:07:18:52 +0000
URI: /
Request ID: acb0f48057ccdfd250debe5afe58252a
```