Docs: Update documentation of auth-tls-match-cn annotation to add possible check on all DN fields

[hichem]

Hi All,

I have just a small suggestion to improve/complete the documentation of auth-tls-match-cn annotation.

The doc mentions that the annotation is used to add a sanity check on the CN of the client certificate during an mTLS handshake.

However, the sanity check may also apply to other fields of the DN of the certificate like "OU" and this might be very handy when performing checks on a group of certificates based on "OU" (group of certificate belonging to an Organizational Unit) or other criteria.

So for example, the annotation may have the following value to accept only certificates whose DN contains "'OU=FOO,OU=BAR'"fields
nginx.ingress.kubernetes.io/auth-tls-match-cn: "'OU=FOO,OU=BAR'"

This type of check is already working, having tested it recently, and the code shows indeed that the condition applies the DN, not only CN:

if ( $ssl_client_s_dn !~ {{ $server.CertificateAuth.MatchCN }} ) {
    return 403 "client certificate unauthorized";
}

Refer to https://github.com/kubernetes/ingress-nginx/blob/main/rootfs/etc/nginx/template/nginx.tmpl#L1016

Would it be possible therefore to update the annotation documentation to add these possible checks?

Thanks,

/kind documentation
/remove-kind feature

[longwuyuan]

That will cover more info and hence it will be an improvement.

Please submit a docs PR. Thank you

/triage accepted
/kind documentation
/area docs

[hichem]

Will do it, thanks!

[github-actions]

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.