-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle request_id variable correctly in auth requests #9219
Conversation
@leki75: This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @leki75. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This sounds like a feature to me not a bug. The request to the external auth server is an another request, so it should have a different request id. |
If you remove the |
@ElvinEfendi @strongjz Any updates on this, please? |
@ElvinEfendi @strongjz Happy new year! Any updates, please? |
@tao12345666333 @strongjz @ElvinEfendi Is it possible to get this small change reviewed? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/ok-to-test
@tao12345666333 @strongjz @ElvinEfendi |
@ekovacs Since we've had some issues recently, we'll work on higher priority things first and pick this up after a new release |
@tao12345666333 @strongjz @ElvinEfendi Is it possible to get this change merged? |
@tao12345666333 @strongjz @ElvinEfendi Any updates on merging this change, please? |
Sorry for the delay. Let me take a look |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason why you see different X-Request-ID headers in this scenario is because of how Ingress-nginx handles these requests internally:
- When a client sends an HTTP request, Ingress-nginx generates an X-Request-ID header for that incoming request if it doesn't already have one.
- Before forwarding the request to your upstream application, Ingress-nginx first sends an internal subrequest (Lua-based) to the specified auth-url for authentication.
- This internal subrequest is treated as a separate and independent HTTP transaction by Nginx, so it gets assigned its own unique X-Request-ID header value.
As a result, when comparing both requests (the original client's and Lua-based authentication), they will have different X-Request-ID values since they are considered distinct transactions within Nginx.
I suggest adding a new configuration item to allow users to control whether to merge or separate request-id to avoid confusion
Thanks for your reply @tao12345666333. This is all true, but the X-Request-ID header will be the same whenever you change back to the original |
We can list all scenarios and regulate their behavior, right? @leki75 |
Unfortunately, we cannot regulate the behavior of the non-Lua version. @tao12345666333 Do you think that we should make it configurable on Lua-only? |
Yes. I think that's enough. |
✅ Deploy Preview for kubernetes-ingress-nginx canceled.
|
@tao12345666333 could you take a look, please? |
👌 I will add this to my list, will finish on Friday |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/retest
Thanks
@@ -33,6 +33,7 @@ You can add these Kubernetes annotations to specific Ingress objects to customiz | |||
|[nginx.ingress.kubernetes.io/auth-cache-key](#external-authentication)|string| | |||
|[nginx.ingress.kubernetes.io/auth-cache-duration](#external-authentication)|string| | |||
|[nginx.ingress.kubernetes.io/auth-keepalive](#external-authentication)|number| | |||
|[nginx.ingress.kubernetes.io/auth-keepalive-share-vars](#external-authentication)|"true" or "false"| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this name
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: leki75, tao12345666333 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
Ingress-nginx sets X-Request-ID HTTP header for every proxied request to support distributed tracing. Whenever we use
nginx.ingress.kubernetes.io/auth-url
withnginx.ingress.kubernetes.io/auth-keepalive
the generated LUA-based authentication request will contain a different request-id than the one that reaches the upstream application.Types of changes
How Has This Been Tested?
Deployed an ingress controller with the modified image. I used the following Kubernetes resources for the test:
Results without the patch:
Results with the patch:
Checklist: