Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: satisfy annotation #3677

Closed
JorritSalverda opened this issue Jan 18, 2019 · 7 comments
Closed

Feature request: satisfy annotation #3677

JorritSalverda opened this issue Jan 18, 2019 · 7 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@JorritSalverda
Copy link
Contributor

FEATURE REQUEST

When combining annotations nginx.ingress.kubernetes.io/auth-type and nginx.ingress.kubernetes.io/whitelist-source-range on a single ingress the resulting config doesn't use the satisfy - http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy - keyword, defaulting to the all value, which requires all checks to be valid.

I would like to be able to specify the any value by setting nginx.ingress.kubernetes.io/satisfy: any so either the whitelisted ips is good enough to get you in or the basic authentication is presented otherwise.

NGINX Ingress controller version:

0.22.0

Kubernetes version:

v1.11.2-gke.26

Environment:

Google Kubernetes Engine 1.11.2-gke.26
@aledbf aledbf added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 18, 2019
@aledbf
Copy link
Member

aledbf commented Jan 18, 2019

@JorritSalverda in the meantime you can use

nginx.ingress.kubernetes.io/auth-type: .........
nginx.ingress.kubernetes.io/configuration-snippet: |-
  allow 127.0.0.0/8;
  allow 10.0.0.0/8;
  deny all;
  satisfy any;

@rmuehlbauer
Copy link

for me this configuration is not working - once I've added the configuration-snippet access to the site is open for everyone...not only for the explicitly allowed ip address

@aledbf
Copy link
Member

aledbf commented Jan 29, 2019
edited
Loading

@rmuehlbauer please make sure you are using 0.22.0

Edit: previous versions have a bug #3649

@rmuehlbauer
Copy link

ok! good point - at the moment I have installed 0.21.0 ... will upgrade and check again!
thanks for the clue

@rmuehlbauer
Copy link

ok, i can confirm - upgrading to 0.22.0 solved my issue. Now basic auth ist working along with the ip whitelist the way it should - perfect!

@anthonyho007 anthonyho007 mentioned this issue Feb 11, 2019
Merged
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 30, 2019
@aledbf
Copy link
Member

aledbf commented Apr 30, 2019

Closing. Added in 0.23.0

@aledbf aledbf closed this as completed Apr 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JorritSalverda @aledbf @k8s-ci-robot @fejta-bot @rmuehlbauer