Hi all,
I use helm install chart kubernetes/ingress-nginx
My request : ingress rule to expose my app :
- Allow access from my IP
- If request not come from my IP, force client to authenticate, allow if success , deny if fail.
I follow these docs
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#whitelist-source-range
https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
This is my yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: simple-frontend-ingress-tls
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/issuer: letsencrypt-prod
cert-manager.io/acme-challenge-type: http01
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/satisfy: "any"
nginx.ingress.kubernetes.io/whitelist-source-range: "my IP/32"
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
tls:
- hosts:
- app.mydomain.com
secretName: my-tls-prod
rules:
- host: app.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web-frontend-service
port:
number: 80
kubectl describe ing simple-frontend-ingress-tls
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name: simple-frontend-ingress-tls
Namespace:
Address:
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
TLS:
my-tls-prod terminates app.mydomain.com
Rules:
Host Path Backends
---- ---- --------
app.mydomain.com
/ web-frontend-service:80 (10.240.0.85:80)
Annotations: cert-manager.io/acme-challenge-type: http01
cert-manager.io/issuer: letsencrypt-prod
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-realm: Authentication Required
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/force-ssl-redirect: true
nginx.ingress.kubernetes.io/satisfy: any
nginx.ingress.kubernetes.io/whitelist-source-range: my IP/32
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateCertificate 43m cert-manager Successfully created Certificate "my-tls-prod"
Normal Sync 43m (x2 over 44m) nginx-ingress-controller Scheduled for sync
I even checked /etc/nginx/nginx.conf in ingress controller pod to make sure
...
## start server app.mydomain.com
server {
server_name app.mydomain.com ;
...
allow my IP/32;
deny all;
auth_basic "Authentication Required";
auth_basic_user_file /etc/ingress-controller/auth/zzz-a0cd0d6c-446f-42da-81a8-d079af3baed3-679c7ee6-f533-448f-8329-c5d8654a4d99.passwd;
satisfy any;
...
But it doesn’t work, request from anywhere including my IP is asked for authentication.
Where should I look to troubleshoot it ? Please let me know if you need more information.