Secret in ingress snippet

data-smith · December 12, 2019, 5:55pm

Has anyone setup an ingress yml file to use a secret? I authenticate using a client cert but then I need to authenticate to Kibana using basic authentication. (fyi - i send the client cert info as run_user_as in a different header). So instead of hard coding the Authorization part i’d like to grab the username and password from a cert. Has anyone been able to make this work?

Specifically i’m sending to Kibana the Authentication header:

nginx.ingress.kubernetes..io/configuration-snippet: |
   proxy_set_header Authorization 'Basic @#$@$@#$@#@#';

What i’d like is:

nginx.ingress.kubernetes..io/configuration-snippet: |
   proxy_set_header Authentication <some value from a secret>

aledbf · December 13, 2019, 3:15am

Please check https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#authentication

data-smith · December 13, 2019, 1:36pm

Thanks for the suggestion but I believe this is if I want basic authentication with nginx. I already have a setup for authentication using client certificates. What I need is to pass basic authentication to Kibana and that username password won’t be passed in from the user - it must be configured somewhere. And the only way I see configuring that is hardcoding it in a snippet.

Jc2k · January 25, 2021, 3:26pm

Did you ever find a workaround for this @data-smith? I’m in the same boat - using elastic’s impersonation feature so the proxy needs to provide an authorization header and that can’t come from the client.

data-smith · January 26, 2021, 1:46pm

No. If I have time I’ll try maybe using an environment variable somehow.

Jc2k · January 26, 2021, 2:00pm

I’m in the process of trying something ugly:

Added a secret with this fragment in as a ‘.conf’ file:

proxy_set_header Authentication <some value from a secret>

Reconfigure the nginx deployment to mount it
Still use a config snippet annotation, but now its an nginx include statement to reference the .conf in the secret.

This is awful because the controller’s deployment has to be adjusted, it’s not self contained on the ingress, but i can’t see how else you could do it.

data-smith · January 26, 2021, 10:07pm

Patching as part of the update might be better:

github.com

kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md

# JSON Patching

[JSON patches]: https://tools.ietf.org/html/rfc6902
[JSON patch]: https://tools.ietf.org/html/rfc6902

A kustomization file supports customizing
resources via [JSON patches].

Make a place to work:

<!-- @placeToWork @testAgainstLatestRelease -->
```
DEMO_HOME=$(mktemp -d)
```

We'll be editting an `Ingress` object:

<!-- @ingress @testAgainstLatestRelease -->
```
cat <<EOF >$DEMO_HOME/ingress.yaml

This file has been truncated. show original

Topic		Replies	Views
Authentification before connecting in Kibana with Kubernetes and Ingress General Discussions	0	1394	April 29, 2019
[Security Advisory] CVE-2021-25742: Ingress-nginx custom snippets allows retrieval of ingress-nginx serviceaccount token and secrets across all namespaces Announcements	0	1552	October 21, 2021
[Ingress-nginx Security Advisory] CVE-2023-5044: Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation Announcements	0	503	October 25, 2023
How to use ingress-nginx with secure backend? General Discussions	6	26900	February 4, 2024
Nginx ingress - Combining Basic Authentication with Access Restriction by IP Address General Discussions	3	5187	July 19, 2021

Secret in ingress snippet

Related Topics