How to setup CORS for Kubernetes Ingress Nginx auth-url when response is 401?

Question

I have a Kubernetes Ingress setup as this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: api
  namespace: staging
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: /hello/$1
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/auth-url: http://external-auth/authenticate
    nginx.ingress.kubernetes.io/auth-response-headers: X-MemberId
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/configuration-snippet: |
      error_page 401 = @unauthorized;
    nginx.ingress.kubernetes.io/server-snippet: |
      location @unauthorized {
        return 401 "Unauthorized";
      }
spec:
  ...

CORS works fine when requests are successfully authenticated, but when authentication fails (the external-auth responds with HTTP 401) there seems to be no CORS headers sent with the response.

I have tried configuring my external auth service to also respond with CORS headers, but it seems that nginx is dropping these headers.

Does anyone know how to set this up?

Answer 1

I managed to solve my own problem. The issue existed because I had configured a custom error page for HTTP 401, with these two lines:

nginx.ingress.kubernetes.io/configuration-snippet: |
  error_page 401 = @unauthorized;
nginx.ingress.kubernetes.io/server-snippet: |
  location @unauthorized {
    return 401 "Unauthorized";
  }

If I set a custom error page nginx.ingress.kubernetes.io/enable-cors: "true" will not come into effect for 401 responses.

The solution was to modify the custom error page location, with the following config:

nginx.ingress.kubernetes.io/server-snippet: |
  location @unauthorized {
    # cors for 401 responses
    add_header "Access-Control-Allow-Origin" "*" always;
    return 401 "Unauthorized";
  }

This solved the problem!