Kubernetes Nginx Ingress Oauth question

[sonamsamdupkhangsar]

I am not sure if this is the right place to ask this question but I was curious if you have any ideas about securing an ingress with oauth.

I have followed your tutorials on setting up Nginx Ingress controller with widlcard certificates for subdomains.

I am trying to secure my echo.mydomain.com using Oauth with Github application.
I am following this example from Nginx documentation for external authentication .

I have the following in my 'ingress-echo.yaml':

    nginx.ingress.kubernetes.io/auth-url: "https://echo.sonam.cloud/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "http://echo.sonam.cloud/oauth2/start?rd=$escaped_request_uri"   

When I open echo.sonam.cloud I see 500 errors. It seems like it doesn't like external https or http endpoints outside of my k8 cluster. Not sure if you have any ideas.

Thanks

[sonamsamdupkhangsar]

Not sure but I am wondering if the issue has already been discussed here with regards to this perhaps? Nginx Ingress service

[v-ctiutiu]

Hi @sonamsamdupkhangsar, let me take a look at this and get back to you. Thanks.

[v-ctiutiu]

@sonamsamdupkhangsar

Ok, I managed to make it work by following the official example. Initially, I was hit by the same issue as yours. Then, I checked the oauth2 application deployment. I noticed that the main application Pod was in a CrashLoopBackOff state.

kubectl get pods -l  k8s-app=oauth2-proxy -A

The output looks similar to:

NAMESPACE     NAME                            READY   STATUS             RESTARTS   AGE
kube-system   oauth2-proxy-56466567bd-b9qfq   0/1     CrashLoopBackOff   7          14m

So basically, the oauth2 backend wasn't working at all. Looking at the main application logs (kubectl logs -l k8s-app=oauth2-proxy -n kube-system) I noticed the following error message:

[2022/02/21 08:02:25] [main.go:54] invalid configuration:
  cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 85 bytes

Going further, I figured out that I set the OAUTH2_PROXY_COOKIE_SECRET environment variable value wrong. Somehow I misunderstood the explanation from the official documentation, meaning the following part (notice the bold text):

• OAUTH2_PROXY_COOKIE_SECRET with value of python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'

You cannot put a piece of executable code in an environment variable from a YAML manifest, and expect for the underlying application to execute it, no ? Going a little bit off topic here - this is a big security risk in general, because we don't want to let users to have the flexibility to execute arbitrary code via environment variables.

So, I went back and ran that piece of python code in my terminal:

python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'

Note:

The oauth2 application error code was stating that the AES cypher length is 85 bytes, which is actually the length of the python code snippet provided in the documentation page.

Then, I pasted the result in the OAUTH2_PROXY_COOKIE_SECRET environment variable. Next, I applied the changes to the oauht2-proxy K8S deployment, and the oauth2 application started to work.

Went back to the web browser, and when I entered the echo application URL I was redirected to the GitHub OAuth page. After successfully logging in, the echo application response was printed to the screen.

Please let me know how it goes, and if this is the same issue you are facing.

Thanks.

[v-ctiutiu]

Just to be on the same page, here is my echo host ingress configured to use GitHub OAuth, as well as a wildcard TLS certificate:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-echo
  namespace: backend
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "https://echo.starter-kit.online/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://echo.starter-kit.online/oauth2/start?rd=$escaped_request_uri"
spec:
  tls:
    - hosts:
        - "*.starter-kit.online"
      secretName: starter-kit.online
  rules:
    - host: echo.starter-kit.online
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: echo
                port:
                  number: 8080
  ingressClassName: nginx

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: oauth2-proxy
  namespace: kube-system
spec:
  ingressClassName: nginx
  rules:
    - host: echo.starter-kit.online
      http:
        paths:
          - path: /oauth2
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
  tls:
    - hosts:
        - "*.starter-kit.online"
      secretName: starter-kit.online

[sonamsamdupkhangsar]

Hi @v-ctiutiu
Thanks so much for replying. I got it working after updating my subdomain name in the Ingress oauth2-proxy based on what you have shown above.

However, I had to update my Ingress Nginx to get this working by doing a upgrade with my new nginx-values-v4.0.17.yaml values with the following annotation (mydomain is my domain name to replaced):

      service.beta.kubernetes.io/do-loadbalancer-hostname: "www.mydomain.cloud". 

My Nginx Ingress values has the following contents now:

## Starter Kit nginx configuration
## Ref: https://github.com/kubernetes/ingress-nginx/tree/helm-chart-4.0.13/charts/ingress-nginx
##

controller:
  replicaCount: 2
  resources:
    requests:
      cpu: 100m
      memory: 90Mi
  service:
    type: LoadBalancer
    annotations:
      # Enable proxy protocol
      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
  #     # Specify whether the DigitalOcean Load Balancer should pass encrypted data to backend droplets
      service.beta.kubernetes.io/do-loadbalancer-tls-passthrough: "true"
  #     # You can keep your existing LB when migrating to a new DOKS cluster, or when reinstalling AES
      kubernetes.digitalocean.com/load-balancer-id: "<PUT MY LOAD BALANCER ID>"
  #     service.kubernetes.io/do-loadbalancer-disown: false
      service.beta.kubernetes.io/do-loadbalancer-hostname: "www.mydomain.cloud"

  ## See https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ for notes on enabling and using sysctls
  # sysctls:
  #   "sys.fs.file-max": "1048576"
  #   "net.core.somaxconn": "32768"
  #   "net.ipv4.ip_local_port_range": "1024 65000"

  ## Will add custom configuration options to Nginx https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
  config:
    use-proxy-protocol: "true"
  #   keep-alive-requests: "10000"
  #   upstream-keepalive-requests: "1000"
  #   worker-processes: "auto"
  #   max-worker-connections: "65535"
  #   use-gzip: "true"
  # Enable the metrics of the NGINX Ingress controller https://kubernetes.github.io/ingress-nginx/user-guide/monitoring/
  metrics:
    enabled: true
  podAnnotations:
    controller:
      metrics:
        service:
          servicePort: "9090"
    prometheus.io/port: "10254"
    prometheus.io/scrape: "true"

Did you have to add that annotation too?

thanks
-Sonam

[v-ctiutiu]

Hi @sonamsamdupkhangsar,

Yes, I had to add the service.beta.kubernetes.io/do-loadbalancer-hostname: "mydomain.cloud" annotation, to make it work (by the way, you don't need to prefix the domain name with www).

Initially, it worked for me because I didn't use the proxy protocol feature. But, after enabling proxy protocol, I started to receive 500 errors just as you did.

Explanations for why that special annotation is needed can be found here, and here.

Quoting the official explanation:

Because of an existing limitation in upstream Kubernetes, pods cannot talk to other pods via the IP address of an external load-balancer set up through a LoadBalancer-typed service.

In your case (and mine as well), it's a broken communication between the two main Pods that are implied in the transaction: echo and oauth2-proxy.

If you take a look at the logs of one of the Nginx ingress controller Pods, you will notice this part:

2022/02/22 07:50:58 [error] 576#576: *2317034 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: 95.76.17.212, server: echo.starter-kit.online, request: "GET / HTTP/2.0", subrequest: "/_external-auth-Lw-Prefix", upstream: "https://159.65.210.145:443/oauth2/auth", host: "echo.starter-kit.online"
95.76.17.212 - - [22/Feb/2022:07:50:58 +0000] "GET / HTTP/2.0" 502 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 0 0.007 [backend-echo-8080] [] 159.65.210.145:443 0 0.004 502 e0a068e4bf28150e5f9edf3acadabaf7
2022/02/22 07:50:58 [error] 576#576: *2317034 auth request unexpected status: 502 while sending to client, client: 95.76.17.212, server: echo.starter-kit.online, request: "GET / HTTP/2.0", host: "echo.starter-kit.online"
95.76.17.212 - - [22/Feb/2022:07:50:58 +0000] "GET / HTTP/2.0" 500 572 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36" 18 0.007 [backend-echo-8080] [] - - - - e0a068e4bf28150e5f9edf3acadabaf7
2022/02/22 07:50:59 [error] 576#576: *2317775 broken header: "??p9Em?q?5#??VZ?A
                                                                               >MhQD?Z???8?,?0?̨̩̪?+?/??$?(k?#?'g?
?9?	?3??=<5/?x" while reading PROXY protocol, client: 169.254.42.1, server: 0.0.0.0:443
2022/02/22 07:50:59 [error] 576#576: *2317034 peer closed connection in SSL handshake (104: Connection reset by peer) while SSL handshaking to upstream, client: 95.76.17.212, server: echo.starter-kit.online, request: "GET /favicon.ico HTTP/2.0", subrequest: "/_external-auth-Lw-Prefix", upstream: "https://159.65.210.145:443/oauth2/auth", host: "echo.starter-kit.online", referrer: "https://echo.starter-kit.online/"
2022/02/22 07:50:59 [error] 576#576: *2317034 auth request unexpected status: 502 while sending to client, client: 95.76.17.212, server: echo.starter-kit.online, request: "GET /favicon.ico HTTP/2.0", host: "echo.starter-kit.online", referrer: "https://echo.starter-kit.online/"

Dissecting the above, you will notice this part:

request: "GET / HTTP/2.0", subrequest: "/_external-auth-Lw-Prefix", upstream: "https://159.65.210.145:443/oauth2/auth", host: "echo.starter-kit.online"

You can clearly see that the Pods try to communicate over the external LB IP address (in my case it's 159.65.210.145), hence the issue.

The SSL handshake issue can be noticed below, where we got some broken headers:

2022/02/22 07:50:59 [error] 576#576: *2317775 broken header: "??p9Em?q?5#??VZ?A
                                                                               >MhQD?Z???8?,?0?̨̩̪?+?/??$?(k?#?'g?
?9?	?3??=<5/?x" while reading PROXY protocol, client: 169.254.42.1, server: 0.0.0.0:443

Hope it helps.

[sonamsamdupkhangsar]

Thank you @v-ctiutiu for the helpful clarification.