Support reading Headers values from Secrets

[ivanfoo]

Is your feature request related to a problem?
We need to configure rule conditions based on specific Header values. However, these values can contain sensitive data so we don't want them to end up visible in plain text in the Ingress annotations. Example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: any-namespace
  name: any-ingress
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/conditions.sensible-headers: >
      [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "AnySensibleHeader", "values":["AnySensibleValue"]}}]

Describe the solution you'd like
Add support to reading header values from kubernetes Secrets as it's done to configure the clientID and clientSecret when using OIDC authentication.

alb.ingress.kubernetes.io/conditions.sensible-headers: >
  [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "AnySensibleHeader", "values":["secret://any-secret/any-key"]}}]

Describe alternatives you've considered
Load Header values from AWS Services like ParameterStore or SecretsManager

[shraddhabang]

@ivanfoo Thank you for raising this. But I have a question about it. even if we implement this, you will still be able to see these header values from console/cli. Also, if you are concerned abut the sensitive data in ingress annotation, you could try restricting the ingress access by defining the RBAC values.

[ivanfoo]

@shraddhabang you are right about the values being visible when using the console or CLI. However, my concern is more about how exposed these annotations are.

It's way easier to restrict access to ALB details on AWS with IAM than restricting access to Ingresses resources that contain sensitive data as annotations, as there is not a way to deny access to resources by labels or a similar approach.

Also, these annotations could be easily leaked everywhere: ArgoCD dashboard, cluster backups, alert messages, monitoring tooling...

I'm not saying the solution is perfect, but at least it does not increase the exposed surface...

What do you think? Any chance of consuming headers values from secrets? Also, do you know if native support for sensitive Headers is coming anytime on the ALB side?

Thanks!

[ivanfoo]

Any news regarding this topic?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ivanfoo]

/remove-lifecycle stale