Ingress-nginx: Having problems getting basic auth to work on 0.17.1
Nginx Ingress: 0.17.1
Baremetal K8: 1.11.1
Im having problems getting basic authentication to work. The ingress does not prompt for any authentication.
Ive got the following ingress configuration,
...
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
nginx.ingress.kubernetes.io/auth-realm: "Access is restricted. Please authenticate !"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
kubernetes.io/tls-acme: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
access_log off;
...
Auth secret looks like,
apiVersion: v1
kind: Secret
metadata:
name: kubernetes-dashboard-auth
namespace: kube-system
type: Opaque
data:
auth: <secret>
If i now look at the generated nginx.conf,
listen 80;
listen [::]:80;
set $proxy_upstream_name "-";
listen 442 proxy_protocol ssl http2;
listen [::]:442 proxy_protocol ssl http2;
# PEM sha: 994df0924f7dd16cbcc15aa1ef63cd7203b0f156
ssl_certificate /etc/ingress-controller/ssl/kube-system-kubernetes-dashboard-tls.pem;
ssl_certificate_key /etc/ingress-controller/ssl/kube-system-kubernetes-dashboard-tls.pem;
location / {
set $namespace "kube-system";
set $ingress_name "kubernetes-dashboard";
set $service_name "kubernetes-dashboard";
set $service_port "443";
set $location_path "/";
rewrite_by_lua_block {
}
log_by_lua_block {
monitor.call()
}
if ($scheme = https) {
more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains";
}
port_in_redirect off;
set $proxy_upstream_name "kube-system-kubernetes-dashboard-443";
# enforce ssl on server side
if ($redirect_to_https) {
return 308 https://$best_http_host$request_uri;
}
auth_basic "Access is restricted. Please authenticate !";
auth_basic_user_file /etc/ingress-controller/auth/kube-system-kubernetes-dashboard.passwd;
In particularly the following which seems to be loading the secret from the namespace,
auth_basic "Access is restricted. Please authenticate !";
auth_basic_user_file /etc/ingress-controller/auth/kube-system-kubernetes-dashboard.passwd;
I cannot see anything unusual in the logs either,
I0719 10:41:28.009823 7 event.go:221] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"kube-system", Name:"kubernetes-dashboard", UID:"4a917d5f-8b40-11e8-bf06-0007cb03c246", APIVersion:"extensions/v1beta1", ResourceVersion:"55795", FieldPath:""}): type: 'Normal' reason: 'CREATE' Ingress kube-system/kubernetes-dashboard
I0719 10:41:28.013591 7 backend_ssl.go:60] Updating Secret "kube-system/kubernetes-dashboard-tls" in the local store
I0719 10:41:28.571988 7 backend_ssl.go:182] Updating local copy of SSL certificate "kube-system/kubernetes-dashboard-tls" with missing intermediate CA certs
I0719 10:41:31.339962 7 controller.go:169] Configuration changes detected, backend reload required.
I0719 10:41:31.575809 7 controller.go:185] Backend successfully reloaded.
I0719 10:42:04.720662 7 status.go:362] updating Ingress kube-system/kubernetes-dashboard status to [{ }]
I0719 10:42:04.733465 7 event.go:221] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"kube-system", Name:"kubernetes-dashboard", UID:"4a917d5f-8b40-11e8-bf06-0007cb03c246", APIVersion:"extensions/v1beta1", ResourceVersion:"55891", FieldPath:""}): type: 'Normal' reason: 'UPDATE' Ingress kube-system/kubernetes-dashboard
I0719 10:42:04.734802 7 backend_ssl.go:60] Updating Secret "kube-system/kubernetes-dashboard-tls" in the local store
I0719 10:42:04.735287 7 controller.go:169] Configuration changes detected, backend reload required.
I0719 10:42:04.986761 7 controller.go:185] Backend successfully reloaded.
nixgadget
All 9 comments
Any ideas what could be causing this ?
nixgadget
on 21 Jul 2018
~Can you reproduce in your browser's private mode?~
Oh wait, you mentioned the kube-system/kubernetes-dashboard-auth Secret, but auth_basic_user_file seems to be using kube-system/kubernetes-dashboard. This is wrong, please check your Ingress object.
antoineco
on 22 Jul 2018
This is the annotation I have in the ingress object.
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
nginx.ingress.kubernetes.io/auth-realm: "Access is restricted. Please authenticate !"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
kubernetes.io/tls-acme: "true"
I don't see anything wrong with that.
@antoineco, digging further into https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/annotations/auth/main.go#L121, it appears to be using the ingress name as the auth_basic_user_file file name.
In other words this file auth_basic_user_file /etc/ingress-controller/auth/kube-system-kubernetes-dashboard.passwd does exist as below,
> k exec -n control nginx-ingress-controller-68cc654db6-wwlg4 -- ls -ltra /etc/ingress-controller/auth/kube-system-kubernetes-dashboard.passwd
-rw-r----- 1 www-data www-data 44 Jul 23 06:06 /etc/ingress-controller/auth/kube-system-kubernetes-dashboard.passwd
Let me try to reproduce this and get back to you.
antoineco
on 23 Jul 2018
Same here, but only if I try to use
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: kubernetes-dashboard-auth
and
nginx.ingress.kubernetes.io/configuration-snippet: 'more_set_headers "Request-Id: $request_id";'
in the same config.
If I remove the configuration-snippet the basic auth works just fine.
Any ideas?
michl-b
on 17 Sep 2018
I have a the same (faulty) behaviour...
I'm not getting any errors that I've found (yet)
Basic config as follows:
Starting nginx-ingress-controller with "--annotations-prefix=ingress.kubernetes.io" (for backward annotation compatibility)
Case 1:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: prometheus-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
Service answers just fine, but do not require any user/password at all.
Case 2:
ingress.kubernetes.io/auth-type: basic
ingress.kubernetes.io/auth-secret: prometheus-auth
ingress.kubernetes.io/auth-realm: "Authentication Required"
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
We're getting 503 all the time, but the logs from nginx-ingress show it does find the correct service.
I can toggle the settings from case 1 and 2 back and forth and it keeps behaving as I've described it.
Is this related, and can it somehow help in isolating the cause?
Resolved: My mistake. By accident I got the "key"-name in the secret wrong. As stated in the docs:
It's important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.
Solved by changing the secret, then it worked when using case 2
Zenlil
on 18 Sep 2018
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale
fejta-bot
on 18 Dec 2018
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 17 Jan 2019
Closing. If the annotation nginx.ingress.kubernetes.io/ssl-passthrough is used, any other annotation is omitted. Please check the docs https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
aledbf
on 17 Jan 2019
Related issues
cabrinoob
路
3Comments
bashofmann
路
3Comments
natemurthy
路
3Comments
juliohm1978
路
3Comments
yuyang0
路
3Comments