Kubernetes: add ingress internal ip to environment

1/11/2020

For a .net core application, I need the internal IP address of the nginx ingress to trust the proxy and process its forwarded headers.

This is done with the following code in my application:

forwardedHeadersOptions.KnownProxies.Add(IPAddress.Parse("10.244.0.16"));

Now it is hard-coded. But how can I get this IP address into an environment variable for my container?

It seems like the given IP address is the endpoint of the ingress-nginx service in the ingress-nginx namespace:

❯ kubectl describe service ingress-nginx -n ingress-nginx
Name:                     ingress-nginx
Namespace:                ingress-nginx
Labels:                   app.kubernetes.io/name=ingress-nginx
                          app.kubernetes.io/part-of=ingress-nginx
Annotations:              kubectl.kubernetes.io/last-applied-configuration:
                            {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"ingress-nginx","app.kubernetes.io/par...
Selector:                 app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/part-of=ingress-nginx
Type:                     LoadBalancer
IP:                       10.0.91.124
LoadBalancer Ingress:     40.127.224.177
Port:                     http  80/TCP
TargetPort:               http/TCP
NodePort:                 http  30756/TCP
Endpoints:                10.244.0.16:80
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  31719/TCP
Endpoints:                10.244.0.16:443
Session Affinity:         None
External Traffic Policy:  Local
HealthCheck NodePort:     32003
Events:                   <none>

FYI: this is my deployment:

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: uwgazon-web
spec:
  replicas: 1
  paused: true
  template:
    metadata:
      labels:
        app: uwgazon-web
    spec:
      containers:
      - name: uwgazon-web
        image: uwgazon/web
        ports:
        - containerPort: 80
        resources:
          requests:
            memory: "128Mi"
            cpu: "250m"
          limits:
            memory: "256Mi"
            cpu: "500m"
        env:
        - name: UWGAZON_RECAPTCHA__SITEKEY
          valueFrom:
            secretKeyRef:
              name: uwgazon-recaptcha
              key: client-id
        - name: UWGAZON_RECAPTCHA__SERVERKEY
          valueFrom:
            secretKeyRef:
              name: uwgazon-recaptcha
              key: client-secret
        - name: UWGAZON_MAILGUN__BASEADDRESS
          valueFrom:
            secretKeyRef:
              name: uwgazon-mailgun
              key: base-address
        - name: UWGAZON_APPLICATIONINSIGHTS__INSTRUMENTATIONKEY
          valueFrom:
            secretKeyRef:
              name: uwgazon-appinsights
              key: instrumentationkey
        - name: APPINSIGHTS_INSTRUMENTATIONKEY
          valueFrom:
            secretKeyRef:
              name: uwgazon-appinsights
              key: instrumentationkey
        - name: UWGAZON_MAILGUN__APIKEY
          valueFrom:
            secretKeyRef:
              name: uwgazon-mailgun
              key: api-key
        - name: UWGAZON_MAILGUN__TOADDRESS
          valueFrom:
            secretKeyRef:
              name: uwgazon-mailgun
              key: to-address
        - name: UWGAZON_BLOG__NAME
          valueFrom:
            configMapKeyRef:
              name: uwgazon-config
              key: sitename
        - name: UWGAZON_BLOG__OWNER
          valueFrom:
            configMapKeyRef:
              name: uwgazon-config
              key: owner
        - name: UWGAZON_BLOG__DESCRIPTION
          valueFrom:
            configMapKeyRef:
              name: uwgazon-config
              key: description

And my ingress configuration

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: uwgazon-web-ingress
  annotations:
    cert-manager.io/issuer: "uwgazon-tls-issuer"
spec:
  tls:
  - hosts:
    - uwgazon.sdsoftware.be
    secretName: uwgazon-sdsoftware-be-tls
  rules:
  - host: uwgazon.sdsoftware.be
    http:
      paths:
      - backend:
          serviceName: uwgazon-web
          servicePort: 80
-- Sander Declerck
asp.net-core
kubernetes
nginx-ingress

1 Answer

1/12/2020

I found the solution to this, specific for Asp.net core.

First of all, you MUST whitelist the proxy, otherwise the forwarded headers middleware will not work.

I found out, you can actually whitelist an entire network. That way, you are trusting everything inside your cluster. Kubernetes uses the 10.0.0.0/8 network (subnet mask 0.255.255.255). Trusting it, can be done with the following code:

services.Configure<ForwardedHeadersOptions>(forwardedHeadersOptions =>
{
    forwardedHeadersOptions.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
    forwardedHeadersOptions.KnownNetworks.Add(new IPNetwork(IPAddress.Parse("10.0.0.0"), 8));
});
-- Sander Declerck
Source: StackOverflow