I have 2 services for authentication one we consider as legacy and the other as new. Both services are running on eks, each one has its own eks and also its elb. One both sides we also have alb as ingress. Basically what I'm trying to is keep the same URL for the new and old authentication what the way to differentiate that is thought Authorization header content, if starts with "Bearer*" will be legacy and if starts with "Signature*" will be the new one.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-ingress
namespace: ${namespace}
annotations:
alb.ingress.kubernetes.io/actions.ssl-redirect: >-
{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port":
"443", "StatusCode": "HTTP_301"}}
alb.ingress.kubernetes.io/backend-protocol: HTTP
alb.ingress.kubernetes.io/certificate-arn: ${certificates}
alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/success-codes: 200,404
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
alb.ingress.kubernetes.io/conditions.gateway-development: >
[{"field":"http-header","httpHeaderConfig":{"httpHeaderName":
"Authorization", "values":["*Signature*"]}}]
alb.ingress.kubernetes.io/actions.redirect-to-legacy: >-
{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port":
"443", "StatusCode": "HTTP_301", "Host": "legacy.mycompany.com"}, "Query":
"#{query}"}
spec:
ingressClassName: alb
rules:
- host: ${my-host}
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: gateway-development
port:
number: 8080
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: redirect-to-legacy
port:
number: use-annotation
Basically the trick here is filtered to the new-gateway-development only the users that comes with the Header Authorization filled with "Signature", the annotation conditions.gateway-development takes care of that. The second part that is redirecting to the legacy does not work, I mean works partially because does not forward the Authorization header, so all other header are ok but not the Authorization. That's one approach. Another approach would be, create a rule similar to the existing one:
alb.ingress.kubernetes.io/conditions.legacy-development: >
[{"field":"http-header","httpHeaderConfig":{"httpHeaderName":
"Authorization", "values":["*Bearer*"]}}]
However, to be able to do that I would need to use a service as a proxy to external host and it is not working as expected:
apiVersion: v1
kind: Service
metadata:
name: legacy-development
status:
loadBalancer: {}
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: https
protocol: TCP
port: 443
targetPort: 443
type: ExternalName
sessionAffinity: None
externalName: legacy.mycompany.com
Basically, the service is not serving as HTTP, I heard that I need to create an endpoint but not sure if this will solve my problem.
Note: I'm ok following any approach as long that I don't need to create a new deployment for that.