Can a nested location block created via configuration-snippet inherit from it's parent?

[mamccorm]

Is this a request for help?
YES

What keywords did you search in NGINX Ingress controller issues before filing this one?
limit_req
configuration-snippet
limit_req configuration-snippet

---

Is this a BUG REPORT or FEATURE REQUEST?
Support request

NGINX Ingress controller version:
0.24.1

Kubernetes version (use kubectl version):
Client Version: version.Info Major:"1", Minor:"13", GitVersion:"v1.13.3",
Server Version: version.Info Major:"1", Minor:"12+", GitVersion:"v1.12.6-eks-d69f1b"

Environment:

• Cloud provider or hardware configuration:
  EKS
• OS (e.g. from /etc/os-release):
  Amazon Linux 2
• Kernel (e.g. uname -a):
• Install tools:
• Others:

What happened:
We are using NGINX as an ingress controller for our k8s cluster. We need to setup rate limiting for a specific URL using 'limit_req'.

We want to do this for a specific pod, and have been looking into using the following to do so:

• https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#configuration-snippet

We have been attempting to use the configuration-snippet to add a custom location block for the '/login' URL. In this location block, we want to set rate limiting, using a zone that's already defined in our http block.

Here is an example:

annotations: nginx.ingress.kubernetes.io/configuration-snippet: | location = /login { limit_req zone=authentication_ratelimit nodelay; }

What you expected to happen:
When applied, this creates a nested location block inside the main location block of the nginx configuration.

However, it appears the nested location block does not inherit the proxy configuration from the parent location block which was automatically created by the ingress-controller.

As a result, when we attempt to access the URL, a HTTP 503 is returned, seemingly due to a lack of upstream proxy configuration in the parent block which isn't being inherited.

Is there a way to apply a rate limit per URL path for a given pod, using the configuration-snippet, without having to duplicate the contents of the parent location block?

[aledbf]

@marmccor you can create a new ingress just for the path you want to limit and use one of the rate-limiting annotations

[duhang]

I also hit this nested location 503 puzzle when upgrading from 0.17 to 0.24.1.

We used "nginx.ingress.kubernetes.io/configuration-snippet" to add

1. /api/health endpoint for healthchecking with basic_auth off
2. /api endpoint for api-key based authentication.

This works fine on 0.17 (NGINX 1.13), but getting 503 with anything 0.18~0.24.1 (NGINX 1.15), not sure what had changed in NGINX.

Does it mean that we now have to create 2 new ingresses for /api, and /api/health?

My ingress rule is here, which was simple and working.

  Host                                                Path  Backends
  ----                                                ----  --------
  grafana.duhang.com
                                                      /   grafana.duhang.com:3000 (10.244.11.4:3000)
Annotations:
  nginx.ingress.kubernetes.io/proxy-body-size:        6M
  nginx.ingress.kubernetes.io/auth-realm:             duhang.com auth
  nginx.ingress.kubernetes.io/auth-secret:            duhang-basicauth
  nginx.ingress.kubernetes.io/auth-type:              basic
  nginx.ingress.kubernetes.io/configuration-snippet:  |
location /api/health {
   auth_basic off;
   auth_request off;
   proxy_pass  http://grafana.duhang.svc.cluster.local:3000/api/health;
}
location /api {
  auth_basic off;
  auth_request off;
  proxy_set_header Authorization $http_authorization;
  proxy_pass_header  Authorization;
  proxy_pass  http://grafana.duhang.svc.cluster.local:3000/api;
}

[duhang]

We had confirmed that everything else works perfectly on 0.24.1 except this nested location in configuration snippet thing.

Also, I found a nice blog talking about NGINX directive inheritance details.

http://blog.martinfjordvald.com/2012/08/understanding-the-nginx-configuration-inheritance-model

[kevinsimper]

@duhang omg, I have just tried getting it to work this nested location in configuration snippet 😂

Should the docs be updated with a note about it?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[kevinsimper]

The docs got updated here telling about that it is not possible :) #4084

/close

[k8s-ci-robot]

@kevinsimper: Closing this issue.

In response to this:

The docs got updated here telling about that it is not possible :) #4084

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.