Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

error reading BasicDigestAuth annotation in Ingress <ns>/<ingress> #5323

Closed
zeph opened this issue Apr 3, 2020 · 20 comments
Closed

error reading BasicDigestAuth annotation in Ingress <ns>/<ingress> #5323

zeph opened this issue Apr 3, 2020 · 20 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@zeph
Copy link

zeph commented Apr 3, 2020

I just copy pasted through https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
E0403 13:01:51.116636 8 annotations.go:200] error reading BasicDigestAuth annotation in Ingress <ns>/<ingress>: unexpected error reading secret <ns>/<secret>: no object matching key "<ns>/<secret>" in local store

I have Ingress Controller 0.27.1 and kubernetes:

Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.0", GitCommit:"9e991415386e4cf155a24b1da15becaa390438d8", GitTreeState:"clean", BuildDate:"2020-03-27T10:34:28Z", GoVersion:"go1.14", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.10", GitCommit:"1bea6c00a7055edef03f1d4bb58b773fa8917f11", GitTreeState:"clean", BuildDate:"2020-02-11T20:05:26Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

p.s. yes, I do create the Secret resource via SealedSecret, but that shall not be of concern (it simply gets automatically generated by the decoded templated)... the yaml structure is 1:1 of the one of the example, with the xtra of the ownerReferences, that's it

@zeph zeph added the kind/bug Categorizes issue or PR as related to a bug. label Apr 3, 2020
@aledbf
Copy link
Member

aledbf commented Apr 3, 2020

@zeph just in case, I cannot reproduce what you describe following the example
https://gist.github.com/aledbf/4298bacb1487bf8084d4b2577dfb0a24

Edit: please make sure you are using the latest version

@aledbf
Copy link
Member

aledbf commented Apr 3, 2020

p.s. yes, I do create the Secret resource via SealedSecret,

Please check the secret is there, kubectl get secret -n <ns> <secret> -o yaml

@zeph
Copy link
Author

zeph commented Apr 3, 2020

@aledbf I did (the kubectl get... the Secret resource is indeed there)

latest version of the ingress-controller?

I'm working in a pretty controlled env, that is going to get challenging

@zeph
Copy link
Author

zeph commented Apr 3, 2020

looking at your gist... my namespace != default
it has to be? I mean, the patch that was introduced in 0.24.x (#3875) seems to work pretty well, the sns got automatically derived from it, without me specifying it in the annotation

@aledbf
Copy link
Member

aledbf commented Apr 3, 2020

latest version of the ingress-controller?

Just test 0.27.1 and still works

@aledbf
Copy link
Member

aledbf commented Apr 3, 2020

Also tried using a different ns for the secret

  apiVersion: extensions/v1beta1
  kind: Ingress
  metadata:
    annotations:
      nginx.ingress.kubernetes.io/auth-realm: Authentication Required - foo
      nginx.ingress.kubernetes.io/auth-secret: s/basic-auth
      nginx.ingress.kubernetes.io/auth-type: basic
    name: ingress-with-auth
    namespace: default
  spec:
    rules:
    - host: foo.bar.com
      http:
        paths:
        - backend:
            serviceName: http-svc
            servicePort: 80
          path: /

@zeph
Copy link
Author

zeph commented Apr 3, 2020

still the Ingress definition is in namespace default in your example...
my complete application helm chart is in namespace madeup1

@zeph
Copy link
Author

zeph commented Apr 3, 2020

I'm just spotting the differences, if things are too obvious or uncorrelated... I...
well, unless you have a better idea on where to look at the problem

@zeph
Copy link
Author

zeph commented Apr 3, 2020

I mean, the error seems exactly the one at #3493

@aledbf
Copy link
Member

aledbf commented Apr 3, 2020

Still working

$ create ns madeup1

$ k apply -n madeup1 -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/docs/examples/http-svc.yaml
deployment.apps/http-svc created
service/http-svc created

$ echo "
   apiVersion: extensions/v1beta1
   kind: Ingress
   metadata:
     annotations:
       nginx.ingress.kubernetes.io/auth-realm: Authentication Required - foo
       nginx.ingress.kubernetes.io/auth-secret: s/basic-auth
       nginx.ingress.kubernetes.io/auth-type: basic
     name: ingress-with-auth
     namespace: madeup1
   spec:
     rules:
     - host: madeup1.foo.bar
       http:
         paths:
         - backend:
             serviceName: http-svc
             servicePort: 80
           path: /
 " | kubectl apply -f -
ingress.extensions/ingress-with-auth created

$ curl localhost -H 'Host: madeup1.foo.bar'
<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx/1.17.7</center>
</body>
</html>
 
$ curl localhost -H 'Host: madeup1.foo.bar' -u 'foo:bar'

Hostname: http-svc-66b7b8b4c6-s8gzh

Pod Information:
	node name:	ingress-nginx-dev-control-plane
	pod name:	http-svc-66b7b8b4c6-s8gzh
	pod namespace:	madeup1
	pod IP:	10.244.0.13

Server values:
	server_version=nginx: 1.12.2 - lua: 10010

Request Information:
	client_address=10.244.0.12
	method=GET
	real path=/
	query=
	request_version=1.1
	request_scheme=http
	request_uri=http://madeup1.foo.bar:8080/

Request Headers:
	accept=*/*
	host=madeup1.foo.bar
	user-agent=curl/7.65.3
	x-forwarded-for=172.17.0.1
	x-forwarded-host=madeup1.foo.bar
	x-forwarded-port=80
	x-forwarded-proto=http
	x-real-ip=172.17.0.1
	x-request-id=b4995da015b77bb15df9e8129f487eb7
	x-scheme=http

Request Body:
	-no body in request-

@zeph
Copy link
Author

zeph commented Apr 3, 2020

image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.27.1
imageID: docker-pullable://quay.io/kubernetes-ingress-controller/nginx-ingress-controller@sha256:3d93f5ba697f7014e0b639eb5b2abbaa7e20d70a4fd759612c52c1fc5d506612

@zeph
Copy link
Author

zeph commented Apr 3, 2020

$ k8s get svc kafka-web-cp-kafka-rest -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: "2020-03-23T10:57:31Z"
  labels:
    app: cp-kafka-rest
    app.kubernetes.io/instance: kafka-web
    chart: cp-kafka-rest-0.1.0
    heritage: Tiller
    release: kafka-web
  name: kafka-web-cp-kafka-rest
  namespace: infrastructure
  resourceVersion: "297498516"
  selfLink: /api/v1/namespaces/infrastructure/services/kafka-web-cp-kafka-rest
  uid: 311a848d-6039-41e7-b544-4b4d4c997151
spec:
  clusterIP: 172.31.133.143
  ports:
  - name: rest-proxy
    port: 8082
    protocol: TCP
    targetPort: 8082
  selector:
    app: cp-kafka-rest
    release: kafka-web
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

@zeph
Copy link
Author

zeph commented Apr 3, 2020

$ k8s get ing kafka-web-kafka-topics-ui -o yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-realm: '"like ArgoCD !SSO"'
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    nginx.ingress.kubernetes.io/auth-type: basic
  creationTimestamp: "2020-03-23T12:10:46Z"
  generation: 1
  labels:
    app: kafka-topics-ui
    app.kubernetes.io/instance: kafka-web
    chart: kafka-topics-ui-0.2.0
    heritage: Tiller
    release: kafka-web
  name: kafka-web-kafka-topics-ui
  namespace: infrastructure
  resourceVersion: "302102842"
  selfLink: /apis/extensions/v1beta1/namespaces/infrastructure/ingresses/kafka-web-kafka-topics-ui
  uid: f23c2afc-d627-49ac-ae3d-1bf62b1f6e8f
spec:
  rules:
  - host: kafka.dss.kube
    http:
      paths:
      - backend:
          serviceName: kafka-web-kafka-topics-ui
          servicePort: http
        path: /
status:
  loadBalancer:
    ingress:
    - ip: 172.31.40.16
    - ip: 172.31.40.17
    - ip: 172.31.40.18

@zeph
Copy link
Author

zeph commented Apr 3, 2020

$ k8s get secret basic-auth -o yaml
apiVersion: v1
data:
  auth: <removed>MQo=
kind: Secret
metadata:
  creationTimestamp: "2020-04-03T13:05:20Z"
  name: basic-auth
  namespace: infrastructure
  ownerReferences:
  - apiVersion: bitnami.com/v1alpha1
    controller: true
    kind: SealedSecret
    name: basic-auth
    uid: 08bd8aa3-6f3a-4f97-aa9e-bc27c428e275
  resourceVersion: "302098017"
  selfLink: /api/v1/namespaces/infrastructure/secrets/basic-auth
  uid: 5a672646-9098-44fb-9d4f-d7e07883fd1b
type: Opaque

@zeph
Copy link
Author

zeph commented Apr 3, 2020

doesn't look like science fiction compared to your test... but, it doesn't work :/

@zeph
Copy link
Author

zeph commented Apr 5, 2020

@aledbf aside of NGINX (ingress-controller) who might provide me logs ... or where can I increase verbosity to be able to triage this thing? I mean, given your feedback seems it shall "just" work, out of the box

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 4, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 3, 2020
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Development

No branches or pull requests

4 participants