menu

Questions & Answers

How to ByPass Traffic directly to Backend from K8S NGINX Ingress Controller

OAUTH2 is used for authentication and the OAUTH2 proxy is deployed in Kubernetes. When a request is received by the NGINX Ingress controller, it always routes the traffic to OAUTH proxy. The requirement is when the request contains a specific header (For example: abc) then those requests should be routed directly to the backend. Those shouldn't be routed to OAUTH proxy. Can this be done using some sort of an annotation in NGINX Ingress controller? Can we by pass those traffic going to OAUTH2?

Answers(1) :

You may want to have a look at https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#canary

Let's say you have a normal Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-backend
spec:
  ingressClassName: nginx
  rules:
  - host: XXX
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: backend
            port:
              number: 80

Set the header name and value for your desired backend on a second Ingress, with canary enabled.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-backend-header
  annotations:
    nginx.ingress.kubernetes.io/canary: "true"
    nginx.ingress.kubernetes.io/canary-by-header: sample-header
    nginx.ingress.kubernetes.io/canary-by-header-value: abc
spec:
  ingressClassName: nginx
  rules:
  - host: XXX
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: backend-with-header
            port:
              number: 80

Now, every request with sample-header: abc routes to the second ingress/service. Any other value, e. g. sample-header: test, will route to the first ingress/service.