ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

No logs or errors for invalid nginx.ingress.kubernetes.io/auth-tls-secret

Open cattapan opened this issue 4 months ago • 1 comments

What happened: Ingress had annotation with wrong secret name. Example: nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName NGINX pod still reloads successfully and all traffic errors out with 403, regardless if nginx.ingress.kubernetes.io/auth-tls-verify-client is off It shows: "Backend successfully reloaded" in the log file.

What you expected to happen:

  1. Error log or error ingress event to be generated, making it clear the secret could not be found/open, etc
  2. If the auth-tls-verify-client is off, nothing would happen and that should be ignored.

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.12.1
  Build:         51c2b819690bbf1709b844dbf321a9acf6eda5a7
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

Kubernetes version

Server Version: v1.31.7-eks

Environment:

  • Cloud provider or hardware configuration: AWS

  • How was the ingress-nginx-controller installed: Helm. Chart 4.12.1

  • Current state of ingress object, if applicable: These annotations are being used:

nginx.ingress.kubernetes.io/auth-tls-match-cn: <redacted>
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: true
nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName
nginx.ingress.kubernetes.io/auth-tls-verify-client: off
nginx.ingress.kubernetes.io/auth-tls-verify-depth: 3
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: false

When running curl, I get a 403 back. If I remove the annotation nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName, then I get a 200.

  • Others:
    • Any other related information like ;
      • copy/paste of the snippet (if applicable)
      • kubectl describe ... of any custom configmap(s) created and in use
      • Any other related information that may help

How to reproduce this issue: add the annotation to any ingress nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName

cattapan avatar Jun 05 '25 14:06 cattapan