I have a Kubernetes Ingress setup as this:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api
namespace: staging
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /hello/$1
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/auth-url: http://external-auth/authenticate
nginx.ingress.kubernetes.io/auth-response-headers: X-MemberId
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/configuration-snippet: |
error_page 401 = @unauthorized;
nginx.ingress.kubernetes.io/server-snippet: |
location @unauthorized {
return 401 "Unauthorized";
}
spec:
...
CORS works fine when requests are successfully authenticated, but when authentication fails (the external-auth responds with HTTP 401) there seems to be no CORS headers sent with the response.
I have tried configuring my external auth service to also respond with CORS headers, but it seems that nginx is dropping these headers.
Does anyone know how to set this up?
I managed to solve my own problem. The issue existed because I had configured a custom error page for HTTP 401, with these two lines:
nginx.ingress.kubernetes.io/configuration-snippet: |
error_page 401 = @unauthorized;
nginx.ingress.kubernetes.io/server-snippet: |
location @unauthorized {
return 401 "Unauthorized";
}
If I set a custom error page nginx.ingress.kubernetes.io/enable-cors: "true" will not come into effect for 401 responses.
The solution was to modify the custom error page location, with the following config:
nginx.ingress.kubernetes.io/server-snippet: |
location @unauthorized {
# cors for 401 responses
add_header "Access-Control-Allow-Origin" "*" always;
return 401 "Unauthorized";
}
This solved the problem!