issue with Ingress and OAuth2 Proxy error 500

Question

"I'm facing a problem with my Kubernetes Ingress and OAuth2 Proxy. When accessing my application through the Ingress, I expect to be redirected to the Okta authentication page, but I'm getting 500 Internal Server Error.Here is my conf

kind: Ingress
metadata:
 annotations:
   nginx.ingress.kubernetes.io/auth-signin: https://appli-test.kube.fr/oauth2/start?rd=$escaped_request_uri
   nginx.ingress.kubernetes.io/auth-url: https://appli-test.kube.fr/oauth2/auth
name: ingress
namespace: h1
spec:
  ingressClassName: nginx
  rules:
    - host: appli-test.kube.fr
      http:
        paths:
          - backend:
              service:
                name: backend
                port:
                  number: 8800
            path: /api
            pathType: Prefix
          - backend:
              service:
                name: frontend
                port:
                  number: 80
            path: /
            pathType: Prefix
  tls:
    - hosts:
        - appli-test.kube.fr
      secretName: test-tl

the conf of my deployment :

    spec:
      containers:
        - args:
            - '--http-address=0.0.0.0:4180'
            - '--https-address=0.0.0.0:4443'
            - '--metrics-address=0.0.0.0:44180'
            - '--config=/etc/oauth2_proxy/oauth2_proxy.cfg'
          env:
            - name: OAUTH2_PROXY_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  key: client-id
                  name: oauth2-proxy
            - name: OAUTH2_PROXY_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  key: client-secret
                  name: oauth2-proxy
            - name: OAUTH2_PROXY_COOKIE_SECRET
              valueFrom:
                secretKeyRef:
                  key: cookie-secret
                  name: oauth2-proxy

my configmap

  oauth2_proxy.cfg: >
provider = "oidc"

redirect_url = "http://appli-test.kube.fr/oauth2/callback"

oidc_issuer_url =
"https://dev-xxxx.okta.com/oauth2/xxxx"

upstreams = [
    "http://appli-test.kube.fr"
]

email_domains = [
    "*"
]

client_id = "xxx"

client_secret = "xxxx"

pass_access_token = true

cookie_secret = "xxx"

skip_provider_button = true

and the service of oauth-proxy :

spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - appProtocol: http
      name: http
      port: 4180
      protocol: TCP
      targetPort: http
    - appProtocol: http
      name: metrics
      port: 44180
      protocol: TCP
      targetPort: metrics
  selector:
    app.kubernetes.io/instance: oauth2-proxy
    app.kubernetes.io/name: oauth2-proxy
  sessionAffinity: None
  type: ClusterIP

i didnt create any ingress for the oauth-proxy Thank you in advance for your assistance!

Answer 1

How to fix

Hi, I had the same problem and solved it by using the cluster.local address for the nginx.ingress.kubernetes.io/auth-url annotation.

Where the second annotation looks like nginx.ingress.kubernetes.io/auth-url: http://<kube-service-name>.<kube-namespace>.svc.cluster.local/oauth2/auth.

If you use, for example, bitnami chart for oauth2-proxy and the standard namespace for it, it looks like this:

kind: Ingress
metadata:
 annotations:
   nginx.ingress.kubernetes.io/auth-response-headers: Authorization
   nginx.ingress.kubernetes.io/auth-signin: https://appli-test.kube.fr/oauth2/start?rd=$escaped_request_uri
   nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.oauth2-proxy.svc.cluster.local/oauth2/auth
name: ingress

After validation, you can add the following (annotations without a specific host url) to simplify Ingress configuration:

kind: Ingress
metadata:
 annotations:
    nginx.ingress.kubernetes.io/auth-signin: https://$host/start?rd=$escaped_request_uri

Why not public address?

Those errors are caused by an SSL issue, since the certificate's CN is for the company and not the IP addresses.

You can check ingess-controller logs and see something like that:

$ kubectl -n ingress logs nginx-ingress-controller-... -f
2022/02/01 20:08:24 [warn] 519#519: *30970 upstream server temporarily disabled while reading response header from upstream, client: 10.999.50.43, server: appli-test.kube.fr, request: "GET /favicon.ico HTTP/1.1", subrequest: "/_external-auth-Lw-Prefix", upstream: "https://52.7.179.999:443/oauth2/auth", host: "appli-test.kube.fr", referrer: "https://appli-test.kube.fr/"

As you can see, upstream here looks like upstream: "https://52.7.179.999:443/oauth2/auth", but should be upstream: "https://appli-test.kube.fr/oauth2/auth".

This is a ingress-controller misconfiguration.

Related

• Error: could not be resolved (3: Host not found) - subrequest: "/_external-auth-Lw-Prefix"
• External auth request is sending upstream requests to IP addresses instead of FQDN, causing SSL error