[EKS] [request]: Need External OAUTH Authentication using auth-url and auth-signin annotations in ALB load balancer controller to use an external authentication provider.

[fauziam]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request What do you want us to build? Customer has 3 micro services running in EKS cluster. They want to authenticate the services with JWT token using their own authentication mechanism "user-services/authenticate". They want similar feature in ALB Ingress controller as in nginx-ingress controller annotations to authenticate EKS services via their custom authentication provider.

metadata: name: application annotations: nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth" nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri" ...

https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

Currently ALB ingress controller offers authentication with Cognito and OIDC only. Due to this limitation customer wants to shift to nginx ingress controller.

Customer EKS cluster Kubernetes version is 1.22. Starting with Amazon EKS 1.22, Amazon EKS is decoupling AWS cloud specific control logic from core control plane code to the out-of-tree AWS Kubernetes Cloud Controller Manager. AWS cloud provider is migrating from In-Tree, the in-tree cloud provider code has mostly stopped accepting new features. The in-tree plugins will be removed in a future release of Kubernetes. Due to this shift in future, customer will face complications using nginx ingress controller in AWS environment.

Amazon EKS Kubernetes version 1.22 end of support date is May 2023 after which Amazon will not provide patching or security support for version 1.22. To continue getting Amazon EKS support, customer will need to upgrade Amazon EKS cluster Kubernetes version to 1.23.

Which service(s) is this request for? EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? What outcome are you trying to achieve, ultimately, and why is it hard/impossible to do right now? What is the impact of not having this problem solved? The more details you can provide, the better we'll be able to understand and solve the problem.

Are you currently working around this issue? How are you currently solving this problem?

Additional context Anything else we should know?

Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)

[sabinayakc]

Any update on this request?

[ri-roee]

Bump on this please :) It's a complete blocker for us from using ALB unfortunately