3

I cannot set basic auth up on one of my paths. I would like to have /auth path secured by basic auth, all the others paths don't need basic auth. So I created two ingress files which point to the same backend:

Non-auth ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /.*
            backend:
              serviceName: example-service
              servicePort: 4000

Auth-ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "false"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            backend:
              serviceName: example-service
              servicePort: 4000

All secrets are set correctly. What am I missing and how can I make it work?

Murakami
  • 3,474
  • 7
  • 35
  • 89

1 Answers1

0

Try to create another service for backend which need authentication:

  1. main-ingress contains the spec for the service(s) which don't require authentication through nginx eg. example-service.
  2. auth-ingress contains the spec for the service(s) which require authentication (basic in my case) through nginx eg. auth-service.

Your auth-ingress should looks like:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "false"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /auth
            backend:
              serviceName: auth-service
              servicePort: <auth-service-port>

Also you can try in first ingress try to deny traffic to /auth path in main-ingress.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: main-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/configuration-snippet: |
    
      location /auth {

           deny all;  
      }
spec:
  tls:
    - hosts:
        - example.com
      secretName: example-tls
  rules:
    - host: example.com
      http:
        paths:
          - path: /.*
            backend:
              serviceName: example-service
              servicePort: 4000

Take a look: ingress-nginx-issues, kubernetes-ingress-network-deny-some-paths, kubernetes-ingress-nginx-re-write-does-not-match.

Malgorzata
  • 6,409
  • 1
  • 10
  • 27