Search code examples
azureazure-aksnginx-ingressazure-container-instancesazure-container-registry

Nginx ingress basic auth doesn't work with AKS

I was following https://kubernetes.github.io/ingress-nginx/examples/auth/basic/ to set basic auth for my service in AKS running behind Nginx ingress
I have the following secret:

apiVersion: v1
kind: Secret
metadata:
  name: basic-auth
  namespace: default
  selfLink: /api/v1/namespaces/default/secrets/basic-auth
data:
  auth: Zm9vOiRhcHIxJFJYcWhKZnFOJGdlUThDNjFnQkJSdXVoWWZEbU53VDAK
type: Opaque

..and the following Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/use-regex: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/satisfy: "any"
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
  ingressClassName: nginx
  rules:
  - http:
      paths:
      - path: /hello-world-one(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: aks-helloworld-one
            port:
              number: 80

it works as expected on my docker-desktop k8s cluster,
but on AKS (v1.26.6) it asks for password once, doesn't open the page and never asks for creds again (tried from different browsers of course)

Am I doing smtg wrong?

Solution

  • The issue your facing is that the basic auth is not being remembered by the browser. this is a known issue with AKS and Nginx ingress. there is a workaround for this issue, but it requires some changes to the ingress configuration.

    The workaround is to add the following annotation to the ingress:

    nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Redirect

    This annotation tells Nginx ingress to add the X-Auth-Request-Redirect header to the response. This header can be used by the browser to remember the credentials.

    To apply this workaround, you need to update the ingress configuration as follows:

        apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: hello-world-ingress
    annotations:
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/rewrite-target: /$2
      nginx.ingress.kubernetes.io/satisfy: "any"
      nginx.ingress.kubernetes.io/auth-type: basic
      nginx.ingress.kubernetes.io/auth-secret: basic-auth
      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
      nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Redirect
    spec:
      ingressClassName: nginx
      rules:
        - http:
            paths:
              - path: /hello-world-one(/|$)(.*)
                pathType: Prefix
                backend:
                  service:
                    name: aks-helloworld-one
                    port:
                      number: 80

    Once you have updated the Ingress configuration, you need to restart the Ingress controller using the following command:

    kubectl rollout restart ingress hello-world-ingress

    After the Ingress controller has restarted, you will be able to access the service without having to enter your credentials again

    Reference:MS Doc