nginx ingress use k8s secret as HTTP header

5/2/2021

I am using nginx ingress with a setup like this:

nginx.ingress.kubernetes.io/auth-url: http://api/v1/introspect
nginx.ingress.kubernetes.io/auth-method: POST
nginx.ingress.kubernetes.io/auth-response-headers: X-User-Auth
nginx.ingress.kubernetes.io/auth-snippet: |
  proxy_set_header  auth-header "authheaderhere==";

My question is simple but not sure if the answer is:

how can I define the ingress without hardcoding the auth-header in the ingress definition?

The introspect endpoint (decodes JWT token and attaches it to original request that is proxied to other microservices) is not exposed outside of the cluster but I want the extra peace of mind knowing that the endpoint, even in the cluster, only responds to authenticated requests (auth-header is a base64 encoded string which contains a client secret and client id)

-- tech4242
authentication
kubernetes
nginx
nginx-ingress

2 Answers

5/18/2021

how can I define the ingress without hardcoding the auth-header in the ingress definition?

Develop own controller. An example how to do it is here.

If you don't want to attach it to Ingress entity - somebody has to.

Own controller can watch existing ingresses (filtered by some your label) and update Ingress Manifests: attach annotations you want.

The introspect endpoint (decodes JWT token and attaches it to original request that is proxied to other microservices) is not exposed outside of the cluster but I want the extra peace of mind knowing that the endpoint, even in the cluster, only responds to authenticated requests (auth-header is a base64 encoded string which contains a client secret and client id)

If you want to hide your JWT token to Secret - there is no easy way to do it with vanilla Nginx IngressController. The source says, that:

nginx.ingress.kubernetes.io/auth-snippet: <Auth_Snippet> to specify a custom snippet to use with external authentication, e.g.

i.e. just a sample of nginx config you may include, without additional transformations.

But if you can deploy additional IngressController instance, you can use global-auth-snippet parameter there.

Add your snippet to Nginx's ConfigMap. Then create some IngressClass and add kubernetes.io/ingress.class=my_ingress_class_name annotation to your Ingresses (or even make the class Default for cluster)

-- Denis Romaniuk
Source: StackOverflow

7/20/2021

You can use the annotation nginx.ingress.kubernetes.io/auth-proxy-set-headers https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication referring to a ConfigMap which contains headers.

Here you can find an example https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers

-- fvalverd
Source: StackOverflow