Describe the problem
We hosted vouch proxy behind Kubernetes Nginx ingress and the ingress look like this
`apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: vouch-oauth2-proxy
labels:
app.kubernetes.io/instance: vouch-oauth2-proxy
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vouch
app.kubernetes.io/version: "0.36"
helm.sh/chart: vouch-3.1.0
name: vouch-oauth2-proxy
spec:
ingressClassName: nginx
rules:
host: authproxy.yourdomain.com
http:
paths:
backend:
service:
name: vouch-oauth2-proxy
port:
name: http
path: /vouch-proxy
pathType: Prefix`
The applications are also exposed behind same nginx-ingress and configured similar as shown example at https://github.com/vouch/vouch-proxy?tab=readme-ov-file#kubernetes-nginx-ingress
The setup has been working well but stopped working after we upgrade our ingress-nginx chart from 4.9.1 to 4.12.0 and the request goes to ingress-nginx default backend. The ingress-nginx admission webhook is also blocking further updates to applications ingress config with this error "one or more objects failed to apply, reason: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: annotation group ExternalAuth" We believe this is due to using nginx.ingress.kubernetes.io/auth-snippet and ingress-nginx community treating this as critical in terms of risk. We tried disabling admission webhook and allowSnippetAnnotations: true (https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.12.0/charts/ingress-nginx/values.yaml#L101) but no help.
There are no logs on vouch proxy since all requests are going to ingress-nginx default backend (404)
Are there alternatives not to use critical risk nginx.ingress.kubernetes.io/auth-snippet annotation?
Is vouch-proxy work for newer kubernetes ingress-nginx chart 4.12.x or above? I would appreciate if you have any working example for Kubernetes Nginx Ingress.
Expected behavior
vouch-proxy Kubernetes Nginx Ingress should work even after upgrade ingress-nginx version
Describe the problem
We hosted vouch proxy behind Kubernetes Nginx ingress and the ingress look like this
`apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: vouch-oauth2-proxy
labels:
app.kubernetes.io/instance: vouch-oauth2-proxy
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vouch
app.kubernetes.io/version: "0.36"
helm.sh/chart: vouch-3.1.0
name: vouch-oauth2-proxy
spec:
ingressClassName: nginx
rules:
host: authproxy.yourdomain.com
http:
paths:
backend:
service:
name: vouch-oauth2-proxy
port:
name: http
path: /vouch-proxy
pathType: Prefix`
The applications are also exposed behind same nginx-ingress and configured similar as shown example at https://github.com/vouch/vouch-proxy?tab=readme-ov-file#kubernetes-nginx-ingress
The setup has been working well but stopped working after we upgrade our ingress-nginx chart from 4.9.1 to 4.12.0 and the request goes to ingress-nginx default backend. The ingress-nginx admission webhook is also blocking further updates to applications ingress config with this error "one or more objects failed to apply, reason: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: annotation group ExternalAuth" We believe this is due to using nginx.ingress.kubernetes.io/auth-snippet and ingress-nginx community treating this as critical in terms of risk. We tried disabling admission webhook and allowSnippetAnnotations: true (https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.12.0/charts/ingress-nginx/values.yaml#L101) but no help.
There are no logs on vouch proxy since all requests are going to ingress-nginx default backend (404)
Are there alternatives not to use critical risk nginx.ingress.kubernetes.io/auth-snippet annotation?
Is vouch-proxy work for newer kubernetes ingress-nginx chart 4.12.x or above? I would appreciate if you have any working example for Kubernetes Nginx Ingress.
Expected behavior
vouch-proxy Kubernetes Nginx Ingress should work even after upgrade ingress-nginx version