Skip to content

Basic-Auth: crash on empty secret value #733

New issue
New issue
Open
Open
Basic-Auth: crash on empty secret value#733
Labels
bugSomething isn't working
@nimasamii

Description

@nimasamii
nimasamii
opened on Aug 20, 2025

If an Ingress resource with the annotations

haproxy.org/auth-secret: <namespace>/<secret-name>
haproxy.org/auth-type: basic-auth`

is deployed, but the secret contains a key with an empty value the ingress controller crashes with an index out of range error:

panic: runtime error: index out of range [-1]
goroutine 42 [running]:
github.com/haproxytech/kubernetes-ingress/pkg/annotations/ingress.ReqAuthAnn.Process({0xc0046d0330?, {0x27668fc?, 0x419ce5?}}, {{0xc000455500, 0xc000455540, 0xc000455580, 0xc000455600}, {0xc0002dc3f0, 0xc0002dc420}, 0xc0002dc330, ...}, ...)
/src/pkg/annotations/ingress/basicAuth.go:79 +0x719
github.com/haproxytech/kubernetes-ingress/pkg/ingress.(*Ingress).handleAnnotations(, {{0xc000455500, 0xc000455540, 0xc000455580, 0xc000455600}, {0xc0002dc3f0, 0xc0002dc420}, 0xc0002dc330, 0xc0002dc360, 0xc0046aa120, ...}, ...)
/src/pkg/ingress/ingress.go:156 +0x14f
github.com/haproxytech/kubernetes-ingress/pkg/ingress.(*Ingress).Update(, {{0xc000455500, 0xc000455540, 0xc000455580, 0xc000455600}, {0xc0002dc3f0, 0xc0002dc420}, 0xc0002dc330, 0xc0002dc360, 0xc0046aa120, ...}, ...)
/src/pkg/ingress/ingress.go:253 +0x945
github.com/haproxytech/kubernetes-ingress/pkg/controller.(*HAProxyController).updateHAProxy(0xc00013ec08)
/src/pkg/controller/controller.go:159 +0x1165
github.com/haproxytech/kubernetes-ingress/pkg/controller.(*HAProxyController).SyncData(0xc00013ec08)
/src/pkg/controller/monitor.go:38 +0x5b2
github.com/haproxytech/kubernetes-ingress/pkg/controller.(*HAProxyController).Start(0xc00013ec08)
/src/pkg/controller/controller.go:100 +0x208
created by main.main in goroutine 1
/src/main.go:164 +0xe45
Ingress Controller exited with fatal code 2, taking down the S6 supervision tree
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service ingress-controller: stopping
s6-rc: info: service ingress-controller successfully stopped
s6-rc: info: service haproxy: stopping
[NOTICE] (67) : haproxy version is 3.1.5-076df02
[WARNING] (67) : Exiting Master process...
[ALERT] (67) : Current worker (83) exited with code 143 (Terminated)
[WARNING] (67) : All workers exited. Exiting... (0)
s6-rc: info: service haproxy successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service sigusr1: stopping
s6-rc: info: service aux-cfg: stopping
s6-rc: info: service sigusr1 successfully stopped
s6-rc: info: service aux-cfg successfully stopped
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped`

A cursory look at

kubernetes-ingress/pkg/annotations/ingress/basicAuth.go

Line 79 in 199f59c

if pwd[len(pwd)-1] == '\n' {
shows the length of pwd is used without checking if it might be empty leading to the stack trace above.

An empty is not useful and is almost certainly not correct, but it shouldn't crash the crontoller.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions