I recently had to work on mTLS that is to be managed internally. This will be utilized for our utmost critical applications in Kubernetes (K8s), as our security team harbored reservations regarding other service providers' ability to manage it. So starts my journey to customize ingress-nginx and Lua.
In order to implement mTLS, I used NGINX’s configuration snippets annotation to write logic for verifying certificates and modify certain headers. Furthermore, Security wanted to logging for specific environment variables for review.
That doesn’t sound too hard
Lua can be written by using access_by_lua_block
within the configuration snippets. It also comes with an os
library that allows me to use os.getenv
to get my environment variables. Easy peasy.
I wrote something like this:
Apply this, make a request, and the logs should show my pod’s namespace.
WAT
Maybe the environment variables were not in the pods?
One Hour Later…
I discovered that in order for environment variables to be accessible to Lua, they need to be explicitly listed in nginx.conf
using the env
directive.
I thought the base configurations for ingress-nginx are set up using configmaps. Looking deeper in the docs, I came across more code snippets that I can use. Given the nature of the env
directive, I thought main-snippet made sense but I was still uncertain on how to use it.
Without sufficient examples, I delved into the code for better understanding. That’s when I discovered nginx.conf
template here and how main-snippet being rendered.
Knowing this now, I believe setting this in the controller’s configmap should work.
After a few restarts, I tested and checked the logs:
My experience with ingress-nginx and Lua has been an intriguing journey, to say the least. It was far from straightforward, requiring careful exploration and troubleshooting along the way. I hope that sharing my experience will save you valuable time when it comes to similar issues.