Please use this template for troubleshooting questions.

My issue: We need help in converting this ingress from k8s INC to F5 NIC with best way possible. Preferably sticking to ingress yaml only for easier migration. Only go to additional CRDs if needed.

**How I encountered the problem: We are getting 404 for the following instead of 200.

The ingress we were using for k8s INC:
**

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

name: myapp-ingress

namespace: myapp

annotations:

kubernetes.io/ingress.class: nginx

nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$request_uri

nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth

nginx.ingress.kubernetes.io/rewrite-target: /$2

nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/24, 192.168.1.0/24, 172.16.0.0/16

nginx.ingress.kubernetes.io/x-forwarded-prefix: /myapp/

spec:

rules:

  - host: app.example.com

http:

paths:

      - backend:

service:

name: myapp-svc

port:

number: 3000

path: /myapp(/|$)(.*)

pathType: ImplementationSpecific

tls:

  - hosts:

    - app.example.com

secretName: my-tls-certs

**Solutions I’ve tried:
**

— Our attempted F5 NGINX Ingress Controller translation (not working) —

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

name: myapp-ingress-f5

namespace: myapp

annotations:

nginx.org/location-snippets: |

auth_request https://$host/oauth2/auth;

  auth_request_set $auth_header https://$host/oauth2/start?rd=$request_uri;

  auth_request_set $auth_type "";

  auth_request_set $auth_secret "";

  proxy_set_header X-Forwarded-Prefix /myapp/;

nginx.org/mergeable-ingress-type: minion

nginx.org/rewrite-target: /$2

spec:

ingressClassName: nginx

rules:

  - host: app.example.com

http:

paths:

      - backend:

service:

name: myapp-svc

port:

number: 3000

path: /myapp(/|$)(.*)

pathType: ImplementationSpecific

Version of NIC and/or NGINX: NIC v5.3.1

**Deployment environment: Self managed kubernetes. Nodeport. AWS Cloud provider.

• Note that whitelistsourcerange, we couldn’t find any alternative. Also, we get this value as a $(list_of_ips_separated_by_commas) from consul db.
• We are unable to add server snippet for any of the above solutions, as ti says only master ingress can have server snippet. WE do have a master ingress and this is a minion ingress.
  -what is the auth-url alternative in f5. We have couple of apps using it**

I think the accessControl policy and externalAuth might be what you want.

If you want to stay with Ingress, you can try use policies resources and refer to them in an Ingress with an annotation like nginx.org/policies: whitelist-policy, ouath2policy.

Note that this requires upgrading from 5.3.1. The accessControl policy is available from 5.4+, and the externalAuth policy is not yet in any stable release and is only available in the main branch build, so it is not recommended for production use yet.

You policy objects could look like the following:

accesscontrol :

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: whitelist-policy
  namespace: myapp
spec:
  accessControl:
    allow:
      - 10.0.0.0/24
      - 192.168.1.0/24
      - 172.16.0.0/16

externalAuth (see the mergeable ingress example ):

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
  name: ouath2policy
  namespace: myapp
spec:
  externalAuth:
    authURI: "/oauth2/auth"
    authSigninURI: "/oauth2/start?rd=$request_uri"
    authServiceName: "<servicename"

and you ingress could be like:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-ingress-f5
  namespace: myapp
  annotations:
    nginx.org/mergeable-ingress-type: "minion"
    nginx.org/policies: "myapp-external-auth,myapp-allowlist"
    ...
spec:
  ingressClassName: nginx
  rules:
    - host: app.example.com
   ...

This is really helpful @hshannon I will try this policy approach and get back on this.

hi @parallel_stories , external_auth policy is now available in 5.5.0 release Policy resources | NGINX Documentation