Ingress-nginx why location is different from same ingress file?

12/3/2021

I am using ingress-nginx in my GKE cluster to expose my services. I have 2 different GKE cluster (v1.19.12-gke.2101) that both use ingress-nginx (chart v4.0.6).

On those cluster, I expose some services with a oauth-proxy. It works perfectly on the first cluster, but it doesn't on the second one with a 404 on the path /test/. I have been investigating a long time without finding what could cause this issue. The main difference I have found is in the nginx.conf file where the location differs. Here is the difference :

First cluster (working):

location ~* "^/test(/|$)(.*)/" {

Second cluster (not working):

location /test(/|$)(.*)/ {

Here is the ingress used for this line :

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "<auth-url>"
    nginx.ingress.kubernetes.io/auth-signin: "<auth-signin>"
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
    kubernetes.io/tls-acme: 'true'
    ingress.kubernetes.io/force-ssl-redirect: 'true'
    nginx.ingress.kubernetes.io/proxy-body-size: 500m
    cert-manager.io/cluster-issuer: "letsencrypt-prod-dns01"
  name: service-oauth
  namespace: default
spec:
  rules:
  - host: "test.com"
    http:
      paths:
      - path: "/test(/|$)(.*)"
        pathType: ImplementationSpecific
        backend:
          service:
            name: test
            port:
              number: 1234
  ingressClassName: nginx
  tls:
  - secretName: test-tls
    hosts:
      - "test.com"

I have checked all my configuration files (ingress, services) without finding any differences. If you have any idea where the problem could come from, let me know.

Thanks for your help.

-- Stini
google-kubernetes-engine
ingress-nginx
kubernetes

1 Answer

12/3/2021

You are missing the annotation that enables regex, which is:

nginx.ingress.kubernetes.io/use-regex: "true"

You can test if this is the problem by going to the url:

test.com/test(/|$)(.*)

and check if a different NGINX answers you (oauth proxy) and if NGINX is logging something different (should log a forward of the request to the right service)


As for why it is working on the first cluster.. did you enable regex (or use rewrite target) for the same host but on another ingress?

I noticed this behaviour as well once.. with an ingress without this annotation (and without rewrite-target annotation as well) working perfectly fine while it shouldn't.. and I am quite sure it was because there were other ingresses for the same host which specified the use regex anotation.

-- AndD
Source: StackOverflow