Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.12.0 seemingly breaks ingresses with auth snippets #12655

Closed
craigcabrey opened this issue Jan 10, 2025 · 4 comments
Closed

v1.12.0 seemingly breaks ingresses with auth snippets #12655

craigcabrey opened this issue Jan 10, 2025 · 4 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@craigcabrey
Copy link

What happened:

Upgrade to v1.12.0 using Helm chart 4.12.0 (I do this using Argo if it matters). Many ingresses which make use of a forward auth seem to break with a 404.

What you expected to happen:

Existing ingresses continue to function as expected.

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

before (working):

internal-ingress-nginx-controller-6d5597c8dc-2q2dv:/etc/nginx$ /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.11.4
  Build:         ba0f2ee37f032c9f11967b74862c60a43ed59b36
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

after (broken):

internal-ingress-nginx-controller-6bd59b7898-zgrs4:/etc/nginx$ /nginx-ingress-controller --version
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.12.0
  Build:         ba73b2c24d355f1cdcf4b31ef7c5574059f12118
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

Ingress with auth snippets applied (e.g. for Authentik integration):

  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
    nginx.ingress.kubernetes.io/auth-signin: https://auth.[snip]/outpost.goauthentik.io/start?rd=$escaped_request_uri
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Host $http_host;
    nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx

Kubernetes version (use kubectl version): v1.29.12+k3s1

Environment:

  • Cloud provider or hardware configuration: Self hosted homelab

  • OS (e.g. from /etc/os-release): Fedora CoreOS 41.20241109.3.0

  • Kernel (e.g. uname -a): 6.11.6-300.fc41.x86_64

  • Install tools:

    • Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.

  • Basic cluster related info:

    • kubectl version
    • kubectl get nodes -o wide

  • How was the ingress-nginx-controller installed: Helm via Argo (not sure how to get the full release out of argo)

  • Current State of the controller:

    • kubectl describe ingressclasses
    • kubectl -n <ingresscontrollernamespace> get all -A -o wide
    • kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
    • kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
Name:         external
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=external
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=ingress-nginx
              app.kubernetes.io/part-of=ingress-nginx
              app.kubernetes.io/version=1.11.3
              argocd.argoproj.io/instance=external-ingress
              helm.sh/chart=ingress-nginx-4.11.3
Annotations:  <none>
Controller:   k8s.io/external-ingress-nginx
Events:       <none>


Name:         internal
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=internal
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=ingress-nginx
              app.kubernetes.io/part-of=ingress-nginx
              app.kubernetes.io/version=1.12.0
              argocd.argoproj.io/instance=internal-ingress
              helm.sh/chart=ingress-nginx-4.12.0
Annotations:  ingressclass.kubernetes.io/is-default-class: true
Controller:   k8s.io/internal-ingress-nginx
Events:       <none>

Logs show it sees the ingress:

I0110 05:00:54.802592       7 store.go:440] "Found valid IngressClass" ingress="teslamate/prod-teslamate" ingressclass="internal"
I0110 05:00:54.802724       7 event.go:377] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"teslamate", Name:"prod-teslamate", UID:"f3ecd5ad-fa14-4a8e-808b-ebd93978f530", APIVersion:"networking.k8s.io/v1", ResourceVersion:"145859890", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0110 05:00:54.802799       7 backend_ssl.go:67] "Adding secret to local store" name="teslamate/teslamate.[snip]-prod-tls"

Anything else we need to know:

Reliably reproducible. No difference in Helm chart versions, I isolated it down to the v1.12.0 image of the nginx controller causing the unexpected behavior.

Ingresses wihtout auth snippets function as expected.
@craigcabrey craigcabrey added the kind/bug Categorizes issue or PR as related to a bug. label Jan 10, 2025
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jan 10, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@abhiverma001
Copy link

abhiverma001 commented Jan 10, 2025
edited
Loading

@craigcabrey I also faced the same issue For this issue now we need to set controller.config.annotations-risk-level: Critical in order to use snippets due to breaking changes in a minor version bump..

The "risk" list is here.. Annotations Risks - Ingress-Nginx Controller

@Socolin
Copy link

Socolin commented Jan 10, 2025
edited
Loading

I got the same problem, invalid TLS certificate after upgrading

@craigcabrey I also faced the same issue For this issue now we need to set controller.config.annotations-risk-level: Critical in order to use snippets due to breaking changes in a minor version bump..

This fixed the problem, Thanks !

I was not expecting a breaking change on minor version bump too.

@craigcabrey
Copy link
Author

thanks, can confirm this also works for me. I'll leave this open for the maintainers to decide what to do with it.

@Gacko Gacko closed this as completed Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
[SIG Network] Ingress NGINX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Socolin @craigcabrey @Gacko @k8s-ci-robot @abhiverma001