Add-headers does not seem to work

[ilya-spv]

BUG REPORT

NGINX Ingress controller version:
0.21.0 (installed via helm chart version 1.1.1)

Kubernetes version (use kubectl version):
1.12.6

Environment:

• Azure AKS:

What happened:
I have an nginx ingress controller via helm with add-header config options.

I have one ingress definition that sends traffic to my api service, but the headers are not applied (I do not see headers in the response).

What you expected to happen:

Expect to see all headers that are added via add-header

How to reproduce it (as minimally and precisely as possible):

Create an nginx ingress controller with the following definitions:

ingress controller config map

data:
  add-headers: my-system/custom-headers
  enable-vts-status: "true"
  log-format-upstream: timestamp="$time_local" ...
  proxy-set-headers: my-system/my-ingress-controller-nginx-ingress-custom-headers

my-system/my-ingress-controller-nginx-ingress-custom-headers

data:
  Request-ID: $request_id

my-system/custom-headers

data:
  Strict-Transport-Security: max-age=31536000; includeSubDomains
  X-Content-Type-Options: nosniff
  X-Frame-Options: Deny

Anything else we need to know:

I have checked the nginx.conf file on the pod and that one does indeed include 3 add_header lines, so this part of the config seems to be correct. But it does not result in headers being sent in the response.

Now according to this SO question what can happen is that add_header is being overridden if it is found in the location part of the nginx configuration.

I have located some that could affect it:

1. Option nginx.ingress.kubernetes.io/auth-url seems to add this:
   add_header Set-Cookie $auth_cookie;

2. Default hsts has this:

  if ($scheme = https) {
         more_set_headers   "Strict-Transport-Security: max-age=15724800; includeSubDomains";
  }

3. $redirect_to_https doe seem to affect the outcome as well

So after I removed all this things I got my headers on a plain HTTP request but HTTPS request still did not return the headers, so there is something that is still overriding this setting.

I think add-header options should work regardless of all this all the time (or at least document the limitations, though it's best that it works).

I am not quite sure how this can be achieved, I am not an nginx expert, but perhaps duplicating add-header under all locations in the appropriate place rather than putting it on top can do the trick.

P.S. I have just updated to the latest helm (with nginx-ingress 0.25.0 and there is still same issue there).