I am running a gke cluster (v1.16.15gke.4300) and the nginx ingress authentication is failing. The below snippet is for external oauth2 authentication but even a basic auth is also not working. Seems that nginx is completely ignore these annotations.
The oauth2 proxy with google api is actually working fine, but nginx is not including the auth configuration on his own configuration. I can easily check that on the nginx running pods. No auth conf there.
nginx ingress controller:
repoURL: 'https://helm.nginx.com/stable'
targetRevision: 0.6.1
version: nginx/1.19.2
The live manifest for an ingress service protected by oauth2:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/auth-signin: https://oauth2.####.net/oauth2/start?rd=$escaped_request_uri
ingress.kubernetes.io/auth-url: https://oauth2.####.net/oauth2/auth
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Ingress","metadata":{"annotations":##########}
creationTimestamp: "####"
finalizers:
- networking.gke.io/ingress-finalizer-V2
generation: 1
labels:
argocd.argoproj.io/instance: k8s-default
name: dashboard-ingress
namespace: kubernetes-dashboard
resourceVersion: "22174124"
selfLink: /apis/extensions/v1beta1/namespaces/kubernetes-dashboard/ingresses/dashboard-ingress
uid: 34263f6b-6818-403f-####-4c6acb196c49
spec:
rules:
- host: dashboard.###.net
http:
paths:
- backend:
serviceName: kdashboard-kubernetes-dashboard
servicePort: 8080
path: /
tls:
- hosts:
- dashboard.###.net
secretName: reflect-certificate-secret-internal
status:
loadBalancer:
ingress:
- ip: ##.##.##.##
When running the service i never get a 403/401:
curl -I 'https://dashboard.###.net/'
HTTP/1.1 200 OK
Server: nginx/1.19.2
Date: Mon, 14 Dec 2020 19:50:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1272
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: no-store
Last-Modified: Mon, 22 Jun 2020 14:25:00 GMT
EDIT:
Based on the info you provided it looks like that you are using the Nginxinc Ingress Controller and not the NGINX Ingress Controller which are not the same. Nginxinc Ingress Controller is different from the NGINX Ingress controller in kubernetes/ingress-nginx repo and also different from the default GKE Ingress Controller. The main difference that would affect your use case is that they all use different annotations and those annotations can only be satisfied by a proper Controller. You can find the key differences between the mentioned above here and here.
Below are some useful docs/guides:
External OAUTH Authentication: The auth-url and auth-signin annotations allow you to use an external authentication provider to protect your Ingress resources.
Securing your website with OAuth2 using NGINX Ingress Controller: NGINX Ingress Controller can be combined with oauth2_proxy to enable many OAuth providers like Google, GitHub and others.
To sum up: