Custom response for Ingress-Nginx External Authentication

0
votes

I have deployed my Kubernetes cluster on EKS. I have an ingress-nginx which is exposed via load balancer to route traffic to different services. In ingress-nginx first request goes to auth service for authentication and if it is a valid request then I allow it to move forward. This is done using ingress-nginx annotation nginx.ingress.kubernetes.io/auth-url. Auth service is developed using FastAPI. In case of 401 response from fastAPI look like this FASTAPI

But when I use ingress-nginx the response look like this INGRESS_NGINX

Is there a way to get JSON respone from Ingress-nginx? Ingress File

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: 'nginx'
    nginx.ingress.kubernetes.io/use-regex: 'true'
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/auth-response-headers: item_id
    nginx.ingress.kubernetes.io/auth-method: POST
    nginx.ingress.kubernetes.io/auth-url: http://pth-auth.default.svc.cluster.local:8000/item/1
    # UPDATE THIS LINE ABOVE
spec:
  rules:
    - http:
        paths:
          - path: /?(.*)
            # UPDATE THIS LINE ABOVE
            backend:
              serviceName: client-cluster-ip-service
              servicePort: 3000
          - path: /api/?(.*)
            # UPDATE THIS LINE ABOVE
            backend:
              serviceName: server-cluster-ip-service
              servicePort: 5000
          - path: /pth-auth/?(.*)
            # UPDATE THIS LINE ABOVE
            backend:
              serviceName: pth-auth
              servicePort: 8000
1
jsonkubernetesnginx-ingressfastapi
Can you provide your ingress yaml file ?Malgorzata
Added Ingress File.Devendra Singh khurana
Please take a look at this stackoverflow.com/questions/62770975/… stackoverflow.com/questions/58997958/… Can you add tls section to ingress yaml file and and access url via https - change it in annotation.Malgorzata

1 Answers

1
votes

This worked for me, took reference from here https://github.com/kubernetes/ingress-nginx/issues/2292

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: 'nginx'
    nginx.ingress.kubernetes.io/use-regex: 'true'
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/auth-response-headers: item_id
    nginx.ingress.kubernetes.io/auth-method: POST
    nginx.ingress.kubernetes.io/auth-url: http://pth-auth.default.svc.cluster.local:8000/items/1
    nginx.ingress.kubernetes.io/server-snippet: |
      location = /error/401 {
        proxy_method POST;
        proxy_pass http://pth-auth.default.svc.cluster.local:8000/error/401;
      }
      location = /error/403 {
        proxy_method POST;
        proxy_pass http://pth-auth.default.svc.cluster.local:8000/error/403;
      }
    nginx.ingress.kubernetes.io/configuration-snippet: |
      error_page 401 /error/401;
      error_page 403 /error/403;
    # UPDATE THIS LINE ABOVE
spec:
  rules:
    - http:
        paths:
          - path: /?(.*)
            # UPDATE THIS LINE ABOVE
            backend:
              serviceName: client-cluster-ip-service
              servicePort: 3000
          - path: /api/?(.*)
            # UPDATE THIS LINE ABOVE
            backend:
              serviceName: server-cluster-ip-service
              servicePort: 5000
          - path: /pth-auth/?(.*)
            # UPDATE THIS LINE ABOVE
            backend:
              serviceName: pth-auth
              servicePort: 8000

You just need to tell nginx in case of error route traffic to this location and their your function will handle specific errors. In my case, function is error/{error_code}.