I am using Kubernetes and kong ingress controller. I have set up a client, Kong gateway, and server. The client connects Kong gateway with mTLS, Kong gateway connects the server with plain HTTP with a header contains the client cert pem.
In nginx i can simplely add this config.
server{
location / {
proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
}
}
In kong gateway, i try to set helm values.yaml
env.nginx_proxy_proxy_set_header: "ssl-client-cert $ssl_client_escaped_cert"
But in the container /etc/kong_prefix/nginx-kong.conf, it looks like this and the header is not sent out.
server {
proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
}
I try to use plugin request-transformer but it considers $ssl_client_escaped_cert as a plain string.
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: kong-plugin-client-cert-header
annotations:
kubernetes.io/ingress.class: kong
labels:
global: "true"
config:
add:
headers:
- ssl-client-cert: $ssl_client_escaped_cert;
plugin: request-transformer
How can I get the client cert and send to server as header?
You can use the Kong Function plugin to do custom transformation. From that plugin you can use all Nginx variables available:
For example, your plugin can be configured with something like:
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: kong-plugin-client-cert-header
config:
access:
- |
kong.service.request.set_header('ssl-client-cert', ('--' or ngx.var.ssl_client_escaped_cert))
plugin: post-function