I am trying to setup nginx as authentication proxy for kubernetes. Authentication endpoint is returning all groups for a user in a single header separated by comma(X-Groups=Group1,Group2). But kubernetes expects each group in a separate header. How can I split this header value by comma and add each value with same header name?

Here are nginx server blocks (this is a self contained example which does call a dummy endpoint instead of k8s api to validate if proxy is passing correct headers or not)

server {
    listen  80 default_server;

    location /backend {
            default_type application/json;
            return 200 '{"user": "$http_x_remote_user", "groups", "$http_x_remote_groups"}';
    }
}

server {
    listen  443 ssl default_server;

    location / {
        auth_request /_auth;

        auth_request_set $user $upstream_http_x_user;
        auth_request_set $groups $upstream_http_x_groups;

        proxy_pass http://localhost/backend;
        proxy_set_header X-Remote-User $user;
        proxy_set_header X-Remote-Groups $groups; # instead of this line I want to put some code which iterates on $groups variable value and add X-Remote-Group header for each of the value
    }

    location /_auth {
        internal;

        proxy_pass http://authentication_endpoint/login; # this returns X-User and X-Groups headers with a 200 status code for successful authentication)
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
        proxy_set_header X-Remote-User $ssl_client_s_dn;
    }

    ssl_certificate_key "/certs/server.key";
    ssl_certificate "/certs/server.crt";

    # this is required for verifying client certificate
    ssl_verify_client       on;
    ssl_client_certificate "/certs/ca.crt";

    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
    ssl_prefer_server_ciphers on;
 }