ingress-nginx: External OAUTH Authentication documentation not working with Kubernetes Dashboard v2 setup

NGINX Ingress controller version: 0.32.0

Kubernetes version (use kubectl version): v1.18.2

Environment:

  • Cloud provider or hardware configuration: Azure
  • OS (e.g. from /etc/os-release): Linux

What happened:

I’m running an Azure Kubernetes Service cluster (v1.15), and had a setup like this https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/#example-oauth2-proxy-kubernetes-dashboard for exposing & securing the K8S dashboard. This worked as expected. After updating the Dashboard to v2.0.1 it seems the setup doesn’t work anymore:

  • first, the new dashboard expects HTTPS traffic on the 443 port instead of 80. Can be fixed by annotating the ingress withnginx.ingress.kubernetes.io/backend-protocol: "HTTPS". Using the alternative.yml deployment, we can have the dashboard listening on port 80 instead (similar to setup before the update). In either of these cases, the issue still occurs.

  • seems the oauth2_proxy authentication part works fine since I get the cookies saved in the browser (because I use AzureAD the cookies are being split in chunks of 4kb, thus ending up with 3 cookies. Haven’t tried the Redis storage yet.)

  • after the cookies are being set, NGINX returns a 500 error to the browser, and the following logs on the ingress controller:

10.244.0.1 - - [04/Jun/2020:09:29:43 +0000] "GET /favicon.ico HTTP/2.0" 500 580 "https://kube.domain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 7289 0.004 [kubernetes-dashboard-kubernetes-dashboard-80] [] - - - - 88e42e8f8fde415d47c857a51fd5e1cc
10.244.0.1 - - [04/Jun/2020:09:29:43 +0000] "GET /oauth2/auth HTTP/1.1" 400 636 "https://kube.domain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 764 0.000 [] [] - - - - 88e42e8f8fde415d47c857a51fd5e1cc
2020/06/04 09:29:43 [error] 111#111: *22038 auth request unexpected status: 400 while sending to client, client: 10.244.0.1, server: kube.domain.com, request: "GET /favicon.ico HTTP/2.0", host: "kube.domain.com", referrer: "https://kube.domain.com/"

I’ve tried both secure and insecure dashboard deployments, also the dashboard that comes with AKS (v1.16+), same issues occur.

What you expected to happen:

The dashboard would be accessible over my domain, instead I get 500 Internal Server Error right after authenticating with Azure AD.

How to reproduce it:

Follow the steps described here: https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/#example-oauth2-proxy-kubernetes-dashboard

The issue occurs when trying to secure the v2.0+ of the Kubernetes Dashboard, the previous versions seem to work fine.

/kind documentation

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 21

Most upvoted comments

Hi, the case got cancelled because I went on holiday. I will re-open the case soon and let you know 😃

+1
andloh on Oct 22, 2020

@andloh - I have the same question 😃, Did you get anything useful back from your case with MS for the integration with the managed-aad ?

+1
mo-saeed on Oct 22, 2020
Read more comments on GitHub
← ingress-nginx: Error: INSTALLATION FAILED: failed pre-install: timed out waiting for the condition in k8s `1.24.1`
ingress-nginx: Fail to resolve auth-url DNS →