I am using nginx ingress with a setup like this:
nginx.ingress.kubernetes.io/auth-url: http://api/v1/introspect
nginx.ingress.kubernetes.io/auth-method: POST
nginx.ingress.kubernetes.io/auth-response-headers: X-User-Auth
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header auth-header "authheaderhere==";
My question is simple but not sure if the answer is:
how can I define the ingress without hardcoding the auth-header in the ingress definition?
The introspect endpoint (decodes JWT token and attaches it to original request that is proxied to other microservices) is not exposed outside of the cluster but I want the extra peace of mind knowing that the endpoint, even in the cluster, only responds to authenticated requests (auth-header is a base64 encoded string which contains a client secret and client id)
You can use the annotation nginx.ingress.kubernetes.io/auth-proxy-set-headers https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#external-authentication referring to a ConfigMap which contains headers.
Here you can find an example https://kubernetes.github.io/ingress-nginx/examples/customization/custom-headers