1

I am running a gke cluster (v1.16.15gke.4300) and the nginx ingress authentication is failing. The below snippet is for external oauth2 authentication but even a basic auth is also not working. Seems that nginx is completely ignore these annotations.

The oauth2 proxy with google api is actually working fine, but nginx is not including the auth configuration on his own configuration. I can easily check that on the nginx running pods. No auth conf there.

nginx ingress controller:

  repoURL: 'https://helm.nginx.com/stable'
  targetRevision: 0.6.1
  version: nginx/1.19.2

The live manifest for an ingress service protected by oauth2:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/auth-signin: https://oauth2.####.net/oauth2/start?rd=$escaped_request_uri
    ingress.kubernetes.io/auth-url: https://oauth2.####.net/oauth2/auth
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":##########}
  creationTimestamp: "####"
  finalizers:
  - networking.gke.io/ingress-finalizer-V2
  generation: 1
  labels:
    argocd.argoproj.io/instance: k8s-default
  name: dashboard-ingress
  namespace: kubernetes-dashboard
  resourceVersion: "22174124"
  selfLink: /apis/extensions/v1beta1/namespaces/kubernetes-dashboard/ingresses/dashboard-ingress
  uid: 34263f6b-6818-403f-####-4c6acb196c49
spec:
  rules:
  - host: dashboard.###.net
    http:
      paths:
      - backend:
          serviceName: kdashboard-kubernetes-dashboard
          servicePort: 8080
        path: /
  tls:
  - hosts:
    - dashboard.###.net
    secretName: reflect-certificate-secret-internal
status:
  loadBalancer:
    ingress:
    - ip: ##.##.##.##

When running the service i never get a 403/401:

curl -I 'https://dashboard.###.net/'
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Mon, 14 Dec 2020 19:50:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1272
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: no-store
Last-Modified: Mon, 22 Jun 2020 14:25:00 GMT
Improve this question
6
  • Some people mentioned to use nginx.ingress.kubernetes.io instead of ingress.kubernetes.io but its the same. Commented Dec 14, 2020 at 19:56
  • Could you please try to add the kubernetes.io/ingress.class: "nginx" annotation to your Ingress and share the results? Commented Dec 15, 2020 at 10:40
  • @WytrzymałyWiktor nothing changes but I can have nginx action in some annotations like nginx.org/server-snippets , the others annotations don't trigger anything Commented Dec 15, 2020 at 15:45
  • kubernetes.io/ingress.class: "nginx" forces Nginx Ingress on GKE instead of the built-in GCP Ingress solution. Use that with the nginx.ingress.kubernetes.io annotations you mentioned in your first comment and please let me know about the outcome. I am analyzing your issue further in the meantime. Commented Dec 17, 2020 at 8:59
  • No, not yet. Moved on. but need to return to the problem. The ingress.class annotation doesn't change anything in my configuration. Commented Jan 6, 2021 at 14:39

1 Answer 1

Reset to default
4

EDIT:

Based on the info you provided it looks like that you are using the Nginxinc Ingress Controller and not the NGINX Ingress Controller which are not the same. Nginxinc Ingress Controller is different from the NGINX Ingress controller in kubernetes/ingress-nginx repo and also different from the default GKE Ingress Controller. The main difference that would affect your use case is that they all use different annotations and those annotations can only be satisfied by a proper Controller. You can find the key differences between the mentioned above here and here.

Below are some useful docs/guides:

To sum up:

  • Choose the proper controller that would satisfy the annotations that you want to use.

  • Keep in mind that different Controllers might use different annotations (nginxinc vs nginx).

  • Use kubernetes.io/ingress.class: annotation to choose the controller installed on your GKE Cluster.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I am using the helm repo: NAME URL nginx-stable helm.nginx.com/stable
the controller version from the kubernetes/ingress-nginx repo works fine. thanks for pointing it out.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.