[Feature Request]: Enable auth for all locations (security opt-out)

[okryvoshapka-connyun]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): No

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.):

• auth
• auth_request
• global

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
FEATURE REQUEST

NGINX Ingress controller version:
0.19.0

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-21T09:17:39Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}`
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.7", GitCommit:"dd5e1a2978fd0b97d9b78e1564398aeea7e7fe92", GitTreeState:"clean", BuildDate:"2018-04-18T23:58:35Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

What happened:
We have several applications (~20) running in the cluster. Most of them need to be protected by external auth (all except UI).
We have a bouncer-service (deployed under the path /srv/bouncer/api/v1) who is responsible for checking the auth header (on /me endpoint).
Looks like that the only official way to protect all services is to protect every service (security opt-in), by adding annotation

nginx.ingress.kubernetes.io/auth-url: "http://bouncer-svc.default.svc.cluster.local:80/srv/bouncer/api/v1/me"

to every service's ingress.

We have found a way around to turn it into security opt-out concept by using snippets.
For nginx configuration we are using location-snippet:

controller:
  config:
    # external auth via bouncer on every location block
    location-snippet: |
      if ($service_name ~ (admin-ui|device-management|user-management|app-main|bouncer-app)) {
      	set $auth_check skip;
      }
      auth_request        /srv/bouncer/api/v1/me;

And for bouncer-ingress we are using annotation:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: bouncer-ingress
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
        internal;
        if ($auth_check = "skip") {
            return 200;
        }

What you expected to happen:
Would be nice to be able to set the global external auth to protect all the services at once with external auth using nginx-controller configuration.
Then the whole security can be handled very well in combination with no-auth-locations, presented in in #2243

Anything else we need to know:
Unfortunately the presented concept works only when enable-dynamic-configuration: "false" because of https://github.com/kubernetes/ingress-nginx/pull/2280/commits as in our case the external auth location is not an auto-generated locatiob block location = /_external-auth-Lv {}, but a normal one as for any other service with set $proxy_upstream_name "default-bouncer-svc-80";

[bsctl]

Hello, having the same requirement here. Thanks

[bsctl]

Hello, we worked around by creating a server-snippet

kind: ConfigMap
apiVersion: v1
metadata:
  name: ingress
  namespace: default
  labels:
data:
  server-snippet: |
    auth_basic            "Local Users";
    auth_basic_user_file  /etc/auth/users;

hope this helps

[okryvoshapka-connyun]

@Kalise, if you are interested, I have referenced a PR which solves this issue.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[okryvoshapka-connyun]

/close

[k8s-ci-robot]

@okryvoshapka-connyun: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.