I am deploying a EKS cluster to AWS and using alb ingress controller points to my K8S service. The ingress spec is shown as below.
There are two targets path: /*
and path: /es/*
. And I also configured alb.ingress.kubernetes.io/auth-type
to use cognito
as authentication method.
My question is how can I configure different auth-type
for different target? I'd like to use cognito
for /*
and none
for /es/*
. How can I achieve that?
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: sidecar
namespace: default
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/group.name: sidecar
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/group.order: '1'
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
# Auth
alb.ingress.kubernetes.io/auth-type: cognito
alb.ingress.kubernetes.io/auth-idp-cognito: '{"userPoolARN":"xxxx","userPoolClientID":"xxxx","userPoolDomain":"xxxx"}'
alb.ingress.kubernetes.io/auth-scope: 'email openid aws.cognito.signin.user.admin'
alb.ingress.kubernetes.io/certificate-arn: xxxx
spec:
rules:
- http:
paths:
- path: /es/*
backend:
serviceName: sidecar-entrypoint
servicePort: 8080
- path: /*
backend:
serviceName: server-entrypoint
servicePort: 8081
The solution above didn't work for me. If you want, you can use each auth-related annotation in your service manifests, which is more human-readable than writing more than one ingress object and combining it all together. See the below code:
apiVersion: v1
kind: Service
metadata:
name: admin-webapp
annotations:
alb.ingress.kubernetes.io/auth-type: cognito
alb.ingress.kubernetes.io/auth-scope: openid
alb.ingress.kubernetes.io/auth-session-timeout: '3600'
alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie
alb.ingress.kubernetes.io/auth-idp-cognito: '{"UserPoolArn": "arn:aws:cognito-idp:us-east-1:xxx:userpool/xxxx","UserPoolClientId":"xxx","UserPoolDomain":"xxx"}'
alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
spec:
selector:
app: admin-webapp-deployment
ports:
- name: http
port: 80
type: NodePort
I had the same issue and the this code solved my issue :)
This question comes up a lot, so I guess it needs to be PR-ed into their documentation.
Ingress resources are cumulative, so you can separate your paths into two separate Ingress resources in order to annotate each one differently. They will be combined with all other Ingress resources across the entire cluster to form the final config
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: sidecar-star
namespace: default
annotations:
kubernetes.io/ingress.class: alb
# ... and the rest ...
spec:
rules:
- http:
paths:
- path: /*
backend:
serviceName: server-entrypoint
servicePort: 8081
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: sidecar-es
namespace: default
annotations:
kubernetes.io/ingress.class: alb
# ... and the rest ...
spec:
rules:
- http:
paths:
- path: /es/*
backend:
serviceName: sidecar-entrypoint
servicePort: 8080