K
Q

Configuring JWT for NGINX PLUS controller in kubernetes

2/7/2018

I have got NGINX in place as of now which acts as a load balancer. When i was creating the Ingress for my Nginx Controller, the details that i had provided in Ingress file were updated in the containers nginx.conf file.

For example:

upstream default-hello-8123   
{ # Load balance algorithm; empty for round robin, which is the default
 least_conn;  
  keepalive 32;  
  server x.x.x.x:xx max_fails=0 fail_timeout=0;  
}

I had above details in the Ingress file. Once I deployed my Ingress service / Controller / Ingress. nginx.conf was updated automatically.

I was trying to configure JWT for authentication now. But i could not figure if there is a way to that configuration as well such as below to be updated automatically in the nginx.conf instead of writing it manually.

server {  
    listen 80;   
    location /products/ {  
        auth_jwt "Products API";
        auth_jwt_key_file conf/api_secret.jwk;  
        proxy_pass http://api_server;  
    }
}
-- Anil Kumar P
jwt
kubernetes
nginx

Similar Questions

nginx k8s ingress - forcing www AND https?
Kubernetes Pod always in Container Creating State
Minikube Dashboard not found Error
Connecting from GCP to AWS instances behind VPN

1 Answer

4/15/2018

I assume you have configured your ingress via annotations. If not, read here:

https://github.com/nginxinc/kubernetes-ingress/tree/master/examples/jwt

IMPORTANT: this whole answer is only applicable by using the NGINX Ingress Controller as opposed to the Kubernetes Ingress Controller. Read about the key differences here.

Basically, there are two minimum requirements:

Start by creating a Secret first. There are multiple ways to do it but here is an example using kubectl:

kubectl create secret generic my-jwk --from-file=/path/to/your/key.jwk

This fulfills the first hard requirement and the other requirement is to ensure that your authenticating app uses the expected JWT delivery. By default, a JWT is expected in the Authorization header as a Bearer Token.

Next, You should reference to that Secret, named my-jwk to the Ingress Controller via annotation:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    nginx.com/jwt-key: "my-jwk" 
spec:
# .. fill in the rest of your spec here.

That is the only annotation required.

There are other annotations you can use. However, they are optional. Taken from the first README link on this answer:

  • Optional: nginx.com/jwt-realm: "realm" -- specifies a realm.
  • Optional: nginx.com/jwt-token: "token" -- specifies a variable that
    contains JSON Web Token. By default, a JWT is expected in the
    Authorization header as a Bearer Token.
  • Optional: nginx.com/jwt-login-url: "url" -- specifies a URL to which a client is redirected in case of an invalid or missing JWT.
-- Seth Malaki
Source: StackOverflow