kubernetes nginx ingress zipkin basic-auth

Question

So I'm having zipkin gathering my data inside kubernetes from other services. I'm having nginx ingress controller defined to expose my services and all works nice. As zipkin is admin thing I'd love to have it behind some security ie. basic auth. If I add 3 lines marked as "#problematic lines - start" and "#problematic lines - stop" below my zipkin front is no longer visible and I get 503.

It's created with https://github.com/kubernetes/ingress/tree/master/examples/auth/basic/nginx and no difficult things here.

apiVersion: v1
kind: Service
metadata:
  name: zipkin
  labels:
    app: zipkin
    tier: monitor
spec:
  ports:
  - port: 9411
    targetPort: 9411
  selector:
    app: zipkin
    tier: monitor
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: zipkin
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: zipkin
        tier: monitor
    spec:
      containers:
      - name: zipkin
        image: openzipkin/zipkin
        resources:
          requests:
            memory: "300Mi"
            cpu: "100m"
          limits:
            memory: "500Mi"
            cpu: "250m"
        ports:
        - containerPort: 9411
---
apiVersion: v1
kind: Service
metadata:
  name: zipkin-ui
  labels:
    app: zipkin-ui
    tier: monitor
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: zipkin-ui
    tier: monitor
---
apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: zipkin-ui
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: zipkin-ui
        tier: monitor
    spec:
      containers:
      - name: zipkin-ui
        image: openzipkin/zipkin-ui
        resources:
          requests:
            memory: "300Mi"
            cpu: "100m"
          limits:
            memory: "500Mi"
            cpu: "250m"
        ports:
        - containerPort: 80
        env:
        - name: ZIPKIN_BASE_URL
          value: "http://zipkin:9411"
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: zipkin
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
    ingress.kubernetes.io/enable-cors: "true"
    ingress.kubernetes.io/ssl-redirect: "false"
#problematic lines - start
    ingress.kubernetes.io/auth-type: basic
    ingress.kubernetes.io/auth-secret: basic-auth
    ingress.kubernetes.io/auth-realm: "Authentication Required"
#problematic lines - stop
spec:
  rules:
  - host: "zipkin.lalala.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: zipkin-ui
          servicePort: 80

I'm not sure if it's not about possible infulence but I used https://github.com/kubernetes/ingress/blob/master/controllers/nginx/rootfs/etc/nginx/nginx.conf file as template for my nginx ingress controller as I needed to modify some CORS rules. I see there part:

{{ if $location.BasicDigestAuth.Secured }}
{{ if eq $location.BasicDigestAuth.Type "basic" }}
auth_basic "{{ $location.BasicDigestAuth.Realm }}";
auth_basic_user_file {{ $location.BasicDigestAuth.File }};
{{ else }}
auth_digest "{{ $location.BasicDigestAuth.Realm }}";
auth_digest_user_file {{ $location.BasicDigestAuth.File }};
{{ end }}
proxy_set_header Authorization "";
{{ end }}

but I don't see result in: kubectl exec nginx-ingress-controller-lalala-lalala -n kube-system cat /etc/nginx/nginx.conf | grep auth kubectl exec nginx-ingress-controller-lalala-lalala -n kube-system cat /etc/nginx/nginx.conf | grep auth . Due to this my guess is that I need to add some annotation to make this {{ if $location.BasicDigestAuth.Secured }} part work. Unfortunately I cannot find anything about it.

Answer 1

I have the same config running on my ingress 9.0-beta.11. I guess it's just a misconfiguration.

First I'll recommend you to not change the template and use the default values and just change when the basic-auth works.

What the logs of ingress show to you? Did you create the basic-auth file in the same namespace of the ingress resource?