I am using ingress-nginx in my GKE cluster to expose my services. I have 2 different GKE cluster (v1.19.12-gke.2101) that both use ingress-nginx (chart v4.0.6).
On those cluster, I expose some services with a oauth-proxy. It works perfectly on the first cluster, but it doesn't on the second one with a 404 on the path /test/. I have been investigating a long time without finding what could cause this issue. The main difference I have found is in the nginx.conf file where the location differs. Here is the difference :
First cluster (working):
location ~* "^/test(/|$)(.*)/" {
Second cluster (not working):
location /test(/|$)(.*)/ {
Here is the ingress used for this line :
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: "<auth-url>"
nginx.ingress.kubernetes.io/auth-signin: "<auth-signin>"
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
kubernetes.io/tls-acme: 'true'
ingress.kubernetes.io/force-ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-body-size: 500m
cert-manager.io/cluster-issuer: "letsencrypt-prod-dns01"
name: service-oauth
namespace: default
spec:
rules:
- host: "test.com"
http:
paths:
- path: "/test(/|$)(.*)"
pathType: ImplementationSpecific
backend:
service:
name: test
port:
number: 1234
ingressClassName: nginx
tls:
- secretName: test-tls
hosts:
- "test.com"
I have checked all my configuration files (ingress, services) without finding any differences. If you have any idea where the problem could come from, let me know.
Thanks for your help.
CodePudding user response:
You are missing the annotation that enables regex, which is:
nginx.ingress.kubernetes.io/use-regex: "true"
You can test if this is the problem by going to the url:
test.com/test(/|$)(.*)
and check if a different NGINX answers you (oauth proxy) and if NGINX is logging something different (should log a forward of the request to the right service)
As for why it is working on the first cluster.. did you enable regex (or use rewrite target) for the same host but on another ingress?
I noticed this behaviour as well once.. with an ingress without this annotation (and without rewrite-target
annotation as well) working perfectly fine while it shouldn't.. and I am quite sure it was because there were other ingresses for the same host which specified the use regex anotation.