I am using nginx ingress with a setup like this:
nginx.ingress.kubernetes.io/auth-url: http://api/v1/introspect
nginx.ingress.kubernetes.io/auth-method: POST
nginx.ingress.kubernetes.io/auth-response-headers: X-User-Auth
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header auth-header "authheaderhere==";
My question is simple but not sure if the answer is:
how can I define the ingress without hardcoding the auth-header
in the ingress definition?
The introspect endpoint (decodes JWT token and attaches it to original request that is proxied to other microservices) is not exposed outside of the cluster but I want the extra peace of mind knowing that the endpoint, even in the cluster, only responds to authenticated requests (auth-header is a base64 encoded string which contains a client secret and client id)
2
Answers
Develop own controller. An example how to do it is here.
If you don’t want to attach it to Ingress entity – somebody has to.
Own controller can watch existing ingresses (filtered by some your label) and update Ingress Manifests: attach annotations you want.
If you want to hide your JWT token to Secret – there is no easy way to do it with vanilla Nginx IngressController. The source says, that:
i.e. just a sample of nginx config you may include, without additional transformations.
But if you can deploy additional IngressController instance, you can use
global-auth-snippet
parameter there.Add your snippet to Nginx’s ConfigMap. Then create some IngressClass and add
kubernetes.io/ingress.class=my_ingress_class_name
annotation to your Ingresses (or even make the class Default for cluster)You can use the annotation
nginx.ingress.kubernetes.io/auth-proxy-set-headers
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication referring to aConfigMap
which contains headers.Here you can find an example https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers