When using client certs authentication on nginx-ingress the auth-tls-verify-depth annotation doesn't honor the number provided. Based on the documentation when I set the number of 2 I expect that mTLS will fail when having client certificate signed by intermediate CA which is 3rd in order from CA (clien_cert <- intermediate1 <- intermediate2 <- CA), but unfortunately that is not the case and mTLS verification works. By the documentation the above scenario should work only with auth-tls-verify-depth set to 3 or more..
I was able to find out that with OpenSSL 1.1.0+ it behaves a bit differently - https://github.com/nginx/nginx-tests/blob/7a9e95fdd30729540ee9650be7f991c330367d5b/ssl_verify_depth.t#L145
If nginx-ingress is following the above procedure I would expect that to be written specifically in the doc, which is not currently. So I am not sure if it is bug within nginx-ingress or it works as expected
Having:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
nginx.ingress.kubernetes.io/auth-tls-secret: <namespace>/CA_certificate
I was expecting HTTP 400 Bad Request - SSL Certificate Error
But I am getting HTTP 200 with mTLS working.