How can I create different auth-type for different target in ingress controller?

6/18/2021

I am deploying a EKS cluster to AWS and using alb ingress controller points to my K8S service. The ingress spec is shown as below.

There are two targets path: /* and path: /es/*. And I also configured alb.ingress.kubernetes.io/auth-type to use cognito as authentication method.

My question is how can I configure different auth-type for different target? I'd like to use cognito for /* and none for /es/*. How can I achieve that?

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: sidecar
  namespace: default
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/group.name: sidecar
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/group.order: '1'
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
    # Auth
    alb.ingress.kubernetes.io/auth-type: cognito
    alb.ingress.kubernetes.io/auth-idp-cognito: '{"userPoolARN":"xxxx","userPoolClientID":"xxxx","userPoolDomain":"xxxx"}'
    alb.ingress.kubernetes.io/auth-scope: 'email openid aws.cognito.signin.user.admin'
    alb.ingress.kubernetes.io/certificate-arn: xxxx

spec:
  rules:
    - http:
        paths:
          - path: /es/*
            backend:
              serviceName: sidecar-entrypoint
              servicePort: 8080
          - path: /*
            backend:
              serviceName: server-entrypoint
              servicePort: 8081
-- Joey Yi Zhao
amazon-eks
amazon-web-services
kubernetes

2 Answers

8/29/2021

The solution above didn't work for me. If you want, you can use each auth-related annotation in your service manifests, which is more human-readable than writing more than one ingress object and combining it all together. See the below code:

apiVersion: v1
kind: Service
metadata:
  name: admin-webapp
  annotations:
    alb.ingress.kubernetes.io/auth-type: cognito
    alb.ingress.kubernetes.io/auth-scope: openid
    alb.ingress.kubernetes.io/auth-session-timeout: '3600'
    alb.ingress.kubernetes.io/auth-session-cookie: AWSELBAuthSessionCookie
    alb.ingress.kubernetes.io/auth-idp-cognito: '{"UserPoolArn": "arn:aws:cognito-idp:us-east-1:xxx:userpool/xxxx","UserPoolClientId":"xxx","UserPoolDomain":"xxx"}'
    alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
spec:
  selector:
    app: admin-webapp-deployment
  ports:
    - name: http
      port: 80
  type: NodePort

I had the same issue and the this code solved my issue :)

-- inceenes10
Source: StackOverflow

6/18/2021

This question comes up a lot, so I guess it needs to be PR-ed into their documentation.

Ingress resources are cumulative, so you can separate your paths into two separate Ingress resources in order to annotate each one differently. They will be combined with all other Ingress resources across the entire cluster to form the final config

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: sidecar-star
  namespace: default
  annotations:
    kubernetes.io/ingress.class: alb
    # ... and the rest ...
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: server-entrypoint
              servicePort: 8081
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: sidecar-es
  namespace: default
  annotations:
    kubernetes.io/ingress.class: alb
    # ... and the rest ...
spec:
  rules:
    - http:
        paths:
          - path: /es/*
            backend:
              serviceName: sidecar-entrypoint
              servicePort: 8080
-- mdaniel
Source: StackOverflow