External Auth fails if the external auth service returns big headers

[Eddman]

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT

If the External Auth service returns for instance cookies that are bigger then 4Kb the request fails. See more details below.

NGINX Ingress controller version:

NGINX Ingress controller
  Release:    0.12.0
  Build:      git-1df421a
  Repository: https://github.com/kubernetes/ingress-nginx

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T12:22:21Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.6", GitCommit:"9f8ebd171479bec0ada837d7ee641dec2f8c6dd1", GitTreeState:"clean", BuildDate:"2018-03-21T15:13:31Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release): CentOS 7
• Kernel (e.g. uname -a): Linux ... 3.10.0-693.21.1.el7.x86_64 Basic structure  #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

What happened:
When you create a Ingress resource like this one:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ...
  labels:
    ....
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/add-base-url: "true"
    nginx.ingress.kubernetes.io/auth-signin: https://$host/auth/kubernetes/start?redirect_uri=https://$host$request_uri$is_args$args
    nginx.ingress.kubernetes.io/auth-url: https://$host/auth/kubernetes/auth
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    
spec:
  rules:
    - ...
  tls:
    - ...

Controller generates a block like this one:

location = /_external-auth-L3Byb21ldGhldXM {
    internal;
    set $proxy_upstream_name "external-authentication";

    proxy_pass_request_body     off;
    proxy_set_header            Content-Length "";

    proxy_set_header            Host                    $host;
    proxy_set_header            X-Original-URL          $scheme://$http_host$request_uri;
    proxy_set_header            X-Original-Method       $request_method;
    proxy_set_header            X-Sent-From             "nginx-ingress-controller";

    proxy_set_header            X-Auth-Request-Redirect $request_uri;

    proxy_http_version          1.1;
    proxy_ssl_server_name       on;
    proxy_pass_request_headers  on;
    client_max_body_size        "1m";

    set $target https://$host/auth/kubernetes/auth;
    proxy_pass $target;
}

This is completely fine unless your external auth service returns cookies and other headers that exceed the default proxy buffer (4Kb). The configmap option proxy-buffer-size is completely missing its proxy_buffer_size equivalent in the block above.

What you expected to happen:
I expect that my settings are propagated to the config; at least the buffering options:

proxy_buffering                         "off";
proxy_buffer_size                       "16k";
proxy_buffers                           4 "16k";
proxy_request_buffering                 "on";

How to reproduce it (as minimally and precisely as possible):
Any Ingress with external auth generates the block above.

Anything else we need to know:
no