ingress-nginx icon indicating copy to clipboard operation
ingress-nginx copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Support Kubernetes Secrets as a source for configuration

Open fsilvani92 opened this issue 3 years ago • 3 comments

I am currently trying to set an Authorization header. The contents of this header should probably be stored in a kubernetes secret. For some configuration items like tls-certs, the api provides specific annotations that read secrets, but I wouldn't expect an implementation like this for every possible annotation, especially because the configuration I want to set "proxy_set_header" is not yet supported as an annotation.

Instead, I think a nice, generic approach, that would also solve the issue for every other possible security sensitive configuration, would be to read the content of a secret using an annotation referencing it.

Example API:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-translating-basic-auth-to-a-static-account
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: my-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication'
    nginx.ingress.kubernetes.io/configuration-snippet-secret: my-secret-config

Using a secret created like kubectl create secret generic my-secret-config "--from-literal=data=proxy_set_header \"Authorization\" \"Bearer SECRET\"" --dry-run -o yaml

apiVersion: v1
data:
  data: cHJveHlfc2V0X2hlYWRlciAiQXV0aG9yaXphdGlvbiIgIkJlYXJlciBTRUNSRVQi
kind: Secret
metadata:
  creationTimestamp: null
  name: my-secret-config

See Also: Other people who have a similar problem: https://discuss.kubernetes.io/t/secret-in-ingress-snippet/8991

Other Implementation Ideas

ConfigMaps

I have seen, that there is a way to use ConfigMaps to configure nginx and for me, it feels like there is another way to do this using these and referencing a Secret from a ConfigMap. But I also have not yet understood how to link a configuration to a specific Ingress ressource, especially across namespaces. Nevertheless, as I understand it, the configuration-snippet is more powerful, so it is probably the more flexible solution anyway.

Secret Variables

Another alternative would be, to create an annotation that reads some variables from a secret and makes them available in the config environment. That would be more convenient, allowing only the sensitive data to be trapped in the secret, allowing the secret to be shared with other ressources and making the secret available in other kinds of snippets, but I imagine this is vastly harder to implement, if it is even possible.

Example API:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-translating-basic-auth-to-a-static-account
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: my-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication'
    nginx.ingress.kubernetes.io/configuration-snippet: 'proxy_set_header "Authorization" "Bearer $custom_secret"'
    nginx.ingress.kubernetes.io/configuration-variables-secret: my-secret-config

Using a secret created like kubectl create secret generic my-secret-config "--from-literal=custom_secret=SECRET" --dry-run -o yaml

apiVersion: v1
data:
  custom_secret: U0VDUkVU
kind: Secret
metadata:
  creationTimestamp: null
  name: my-secret-config

fsilvani92 avatar Apr 08 '22 15:04 fsilvani92

@fsilvani92: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Apr 08 '22 15:04 k8s-ci-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Jul 07 '22 16:07 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Aug 06 '22 16:08 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

k8s-triage-robot avatar Sep 05 '22 16:09 k8s-triage-robot

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Sep 05 '22 16:09 k8s-ci-robot

Any movement on this issue?

MonolithicMonk avatar Jul 04 '23 12:07 MonolithicMonk

+1 on this requested functionality

artntek avatar Aug 01 '23 15:08 artntek

+1

SnoozeFreddo avatar Jan 24 '24 07:01 SnoozeFreddo

+1

motmot80 avatar Feb 02 '24 14:02 motmot80