Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nginx ingress version > 3.34.0 request_method OPTION #8643

Closed
mike-serchenia opened this issue May 27, 2022 · 6 comments
Closed

nginx ingress version > 3.34.0 request_method OPTION #8643

mike-serchenia opened this issue May 27, 2022 · 6 comments
Labels
kind/support Categorizes issue or PR as a support question. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/needs-information Indicates an issue needs more information in order to work on it.

Comments

@mike-serchenia
Copy link

mike-serchenia commented May 27, 2022
edited
Loading 

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.2.0
  Build:         a2514768cd282c41f39ab06bda17efefc4bd233a
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.19.10

-------------------------------------------------------------------------------

Kubernetes version (use kubectl version):

Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.11-gke.1100", GitCommit:"20da4c21b3a6b1a56ff6ad5ecb7dee013aaf1b83", GitTreeState:"clean", BuildDate:"2022-04-01T09:40:07Z", GoVersion:"go1.16.15b7", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: GKE
  • OS (e.g. from /etc/os-release):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.14.6
PRETTY_NAME="Alpine Linux v3.14"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

  • Kernel (e.g. uname -a): 5.4.0-1067-gke Nginx: support hiding version number (server_tokens off;) ? #70-Ubuntu SMP Wed Mar 30 03:58:47 UTC 2022 x86_64 Linux

  • How was the ingress-nginx-controller installed: helm

    • If helm was used then please show output of helm ls -A | grep -i ingress
    nginx-ingress-ext               	ingress-nginx      	16      	2022-05-26 21:49:11.268965215 +0000 UTC	deployed	ingress-nginx-4.1.2                   	1.2.0
    • If helm was used then please show output of helm -n <ingresscontrollernamepspace> get values <helmreleasename>
    controller:
config:
  http-snippet: |
    proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=static-cache:2m max_size=16g inactive=7d use_temp_path=off;
    proxy_cache_key $scheme$proxy_host$request_uri;
    proxy_cache_lock on;
    proxy_cache_use_stale updating;
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header X-Original-METHOD $request_method;
ingressClass: nginx
ingressClassResource:
  name: nginx
metrics:
  enabled: true
  port: 10254
  service:
    labels:
      monitored-by: vm-operator
podAnnotations:
  cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
  linkerd.io/inject: enabled
replicaCount: 3
service:
  loadBalancerIP: <reducted>

What happened:

Everything higher then (helm) 3.34.0 and the image controller: k8s.gcr.io/ingress-nginx/controller:v0.47.0 returns x-original-method: OPTIONS before upgrade it is x-original-method: GET -eq to original Method. It breaks auth-url redirects ("nginx.ingress.kubernetes.io/auth-url" = http://oathkeeper.ory.svc.cluster.local:4456/decisions$request_uri)

I've noticed that config template has changed form:

	# Cors Preflight methods needs additional options and different Return Code

        if ($request_method = 'OPTIONS') {
          add_header 'Access-Control-Allow-Origin' "$http_origin";
          add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, PATCH, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
          add_header 'Access-Control-Max-Age' 1728000;
          add_header 'Content-Type' 'text/plain charset=UTF-8';
          add_header 'Content-Length' 0;
          return 204;
        }

To:

# Cors Preflight methods needs additional options and different Return Code
if ($request_method = 'OPTIONS') {
	set $cors ${cors}options;
}
if ($cors = "true") {
	more_set_headers 'Access-Control-Allow-Origin: $http_origin';
	more_set_headers 'Access-Control-Allow-Credentials: true';
	more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';
	more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
	more_set_headers 'Access-Control-Max-Age: 1728000';
}
if ($cors = "trueoptions") {
	more_set_headers 'Access-Control-Allow-Origin: $http_origin';
	more_set_headers 'Access-Control-Allow-Credentials: true';
	more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';
	more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
	more_set_headers 'Access-Control-Max-Age: 1728000';
	more_set_headers 'Content-Type: text/plain charset=UTF-8';
	more_set_headers 'Content-Length: 0';
	return 204;
}

I've tried to use
"nginx.ingress.kubernetes.io/enable-cors" = "trueoptions" ingress annotation but it didn't help

So to use previous ingress behavior I use config-snippet like this

      "nginx.ingress.kubernetes.io/configuration-snippet" = <<EOF
        if ($request_method = 'OPTIONS') {
          add_header 'Access-Control-Allow-Origin' "$http_origin";
          add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, PATCH, OPTIONS';
          add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
          add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
          add_header 'Access-Control-Max-Age' 1728000;
          add_header 'Content-Type' 'text/plain charset=UTF-8';
          add_header 'Content-Length' 0;
          return 204;
        }
        EOF

Is there better way to how to fix it rather then adding configuration-snippet to every ingress?
@mike-serchenia mike-serchenia added the kind/bug Categorizes issue or PR as related to a bug. label May 27, 2022
@k8s-ci-robot
Copy link
Contributor

@mike-serchenia: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels May 27, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2022
@mike-serchenia
Copy link
Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 25, 2022
@kundan2707
Copy link
Contributor

/remove-lifecycle stale

@longwuyuan
Copy link
Contributor

@mike-serchenia this is the only CORS related PR I could find that matches that time window #7134. But it was reverted within 4 days. So still searching for the PR that removed that expose-headers directive. The expose directive was added in 2020 earlier but so wierd to see the impact in 2021.

I still don't think that the expose-headers directive is possible without a snippet, like you mentioned.

But this issue is 2 years old so wondering if its still active for you. I will close it for now as we are now in version 1.10.1of the controller so a rebase and retest is needed anyways. Please re-open if you want to still engage on this but kindly test with the latest release of the controller.

thanks

/kind support
/remove-kind bug
/triage needs-information

/close

@k8s-ci-robot k8s-ci-robot added kind/support Categorizes issue or PR as a support question. triage/needs-information Indicates an issue needs more information in order to work on it. and removed kind/bug Categorizes issue or PR as related to a bug. labels May 1, 2024
@k8s-ci-robot
Copy link
Contributor

@longwuyuan: Closing this issue.

In response to this:

@mike-serchenia this is the only CORS related PR I could find that matches that time window #7134. But it was reverted within 4 days. So still searching for the PR that removed that expose-headers directive. The expose directive was added in 2020 earlier but so wierd to see the impact in 2021.

I still don't think that the expose-headers directive is possible without a snippet, like you mentioned.

But this issue is 2 years old so wondering if its still active for you. I will close it for now as we are now in version 1.10.1of the controller so a rebase and retest is needed anyways. Please re-open if you want to still engage on this but kindly test with the latest release of the controller.

thanks

/kind support
/remove-kind bug
/triage needs-information

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/needs-information Indicates an issue needs more information in order to work on it.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@longwuyuan @k8s-ci-robot @k8s-triage-robot @kundan2707 @mike-serchenia