Description
What happened: when adding url query encoded parameters, like %2C (,) or %40 (@)
example:
nginx.ingress.kubernetes.io/auth-url: https://auth.example.com/oauth2/auth?allowed_emails=example%40example.com%2Cmoo%40example.com
What you expected to happen:
This to be accepted, as it was 2y ago.
The Validator was added without all edge cases (as I see fixes to add ',' and '@')
NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):
NGINX Ingress controller
Release: v1.12.0
Build: ba73b2c
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.25.5
Kubernetes version (use kubectl version):
Client Version: v1.31.5+rke2r1
Kustomize Version: v5.4.2
Server Version: v1.31.5+rke2r1
Environment:
-
Cloud provider or hardware configuration: hetzner ax52
-
OS (e.g. from /etc/os-release): ubuntu 24.04
-
Kernel (e.g.
uname -a): Linux access 6.8.0-52-generic Bump up glbc version to match release #55-Ubuntu SMP PREEMPT_DYNAMIC Fri Jan 17 15:37:52 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux -
Install tools:
- RKE2
-
Basic cluster related info:
-
kubectl version
Client Version: v1.31.5+rke2r1
Kustomize Version: v5.4.2
Server Version: v1.31.5+rke2r1 -
kubectl get nodes -o wide
3 control plane nodes, 5 workers
-
-
How was the ingress-nginx-controller installed:
-
If helm was used then please show output of
helm ls -A | grep -i ingress
nginx-ingress-internal nginx-internal 1 2025-02-18 03:54:38.030077783 +0000 UTC deployed ingress-nginx-4.12.0 1.12.0 -
If helm was used then please show output of
helm -n <ingresscontrollernamespace> get values <helmreleasename> -
If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
-
if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
-
-
Current State of the controller:
kubectl describe ingressclasseskubectl -n <ingresscontrollernamespace> get all -A -o widekubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
-
Current state of ingress object, if applicable:
kubectl -n <appnamespace> get all,ing -o widekubectl -n <appnamespace> describe ing <ingressname>- If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag
-
Others:
- Any other related information like ;
- copy/paste of the snippet (if applicable)
kubectl describe ...of any custom configmap(s) created and in use- Any other related information that may help
- Any other related information like ;
How to reproduce this issue:
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo-bar
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-signin: https://auth.example.com/oauth2/start?rd=https%3A%2F%2F$http_host$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://auth.example.com/oauth2/auth?allowed_emails=example%40example.com%2Cmoo%40example.com
spec:
ingressClassName: nginx # omit this if you're on controller version below 1.0.0
rules:
- host: foo.bar
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: http-svc
port:
number: 80
" | kubectl apply -f -
Anything else we need to know:
Metadata
Metadata
Assignees
Labels
Type
Projects
Status