K
Q

Adding Ingress basic auth causes response 406 instead of 200 from Spring boot backend

10/19/2019

I have Spring Boot backend service and a React frontend service. They run on Kubernetes. A GET request from the frontend to the backend returns 200. Whenever I specify basic auth on the frontend ingress with

metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: test-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - test"

the backend returns 406. I can see that it's sent by Spring Boot in the logs:

2019-10-19 11:07:47.672  WARN 1 --- [nio-8080-exec-1] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpMediaTypeNotAcceptableException: Could not find acceptable representation]

The frontend Ingress in question is

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubernetes-unacceptable-and-unauthorized-response-frontend
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: test-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - test"
spec:
  rules:
    - host: test.com
      http:
        paths:
          - path: /
            backend:
              serviceName: kubernetes-unacceptable-and-unauthorized-response-frontend
              servicePort: 80

In which the issue can be turned off and on repeatedly by removing or applying the metadata patch shown above. The backend Ingress is

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kubernetes-unacceptable-and-unauthorized-response-backend
spec:
  rules:
    - host: test.com
      http:
        paths:
          - path: /rest/control
            backend:
              serviceName: kubernetes-unacceptable-and-unauthorized-response-backend
              servicePort: 80

My understanding based on https://kubernetes.github.io/ingress-nginx/user-guide/ingress-path-matching/ and other docs is that the basic auth is for the frontend only. And that even if it was for the backend as well I'd expect a 401 without the request reaching the backend service and not a 406 from the service.

I'm reproducing this issue on microk8s 1.15.5 (984) on Ubuntu 19.04 with Spring Boot 2.1.8 and the nginx-ingress chart 1.24.3 by pointing test.com to localhost in /etc/hosts.

Since the necessary code is way to much for the question and all somehow relevant, but not really (you can imaging Spring Boot REST controller that replies OK as well as a react app which prints response.ok) I'm providing https://gitlab.com/krichter/kubernetes-unacceptable-and-unauthorized-response. I put a lot of effort into minimizing the issue. Feel free to comment if you think inclusion of a piece of code makes the question more clear.

-- Karl Richter
basic-authentication
kubernetes
nginx-ingress
reactjs
spring-boot

Similar Questions

Kubernetes NFS PV, Lock Questions
Google Cloud VM Image to docker image
Data processing while using tensorflow serving (Docker/Kubernetes)
Our replica set configuration is invalid or does not include us-MongoDB Statefulset on Kubernetes
Unable to create kubernetes with HA etc on Ubuntu 20.04
Why should I use Kubernetes Persistent Volumes instead of Volumes

0 Answers