Sentry relay - regex issue in ingress

[jsenzier-oxeva]

Hi,

We installed sentry chart (https://github.com/sentry-kubernetes/charts/tree/develop/sentry) on Friday and we discovered some issues about relay and sentry ingress. We disabled nginx and use our ingress controller to forward events to relay which push them in sentry-web.

On this yaml ingress config file :
https://github.com/sentry-kubernetes/charts/blob/develop/sentry/templates/ingress.yaml

  rules:
    - host: {{ .Values.ingress.hostname }}
      http:
        paths:
    {{- if .Values.nginx.enabled }}
          - path: {{ default "/" .Values.ingress.path | quote }}
            backend:
              serviceName: {{ template "sentry.fullname" . }}-nginx
              servicePort: {{ .Values.nginx.service.port }}
    {{- else }}
          - path: {{ default "/" .Values.ingress.path }}api/store
            backend:
              serviceName: {{ template "sentry.fullname" . }}-relay
              servicePort: {{ template "relay.port" . }}
          - path: {{ default "/" .Values.ingress.path }}api/[1-9][0-9]*/(.*)
            backend:
              serviceName: {{ template "sentry.fullname" . }}-relay
              servicePort: {{ template "relay.port" . }}
          - path: {{ default "/" .Values.ingress.path | quote }}
            backend:
              serviceName: {{ template "sentry.fullname" . }}-web
              servicePort: {{ .Values.service.externalPort }}
    {{- end }}

As nginx is disabled, second block is used, and we have something like this (interpreted) :

 - backend:
    serviceName: sentry-relay
    servicePort: 3000
    path: /api/[1-9][0-9]*/(.*)

but this regex never matches, and queries get redirected to sentry-web, which produces a 403 error :

10.233.91.201 - - [21/Sep/2020:08:47:06 +0000] "POST /api/3/store/ HTTP/1.1" 403 5459 "-" "sentry.php.symfony/3.5.2"

The full error is :

0:00:56 [WARNING] django.security.csrf: Forbidden (Referer checking failed - no Referer.): /api/3/store/ (status_code=403 request=<WSGIRequest: POST u'/api/3/store/'>)

Rewriting the path like this make it work :

path: /api/[0-9][1-9]{1,}/

My configuration :

• k8s version => 1.14.3
• sentry chart version => 5.1.3 (app version 20.8.0)
• nginx ingress version => 1.29.5 (app version 0.27.1)

[jsenzier-oxeva]

We found a solution in the NGINX ingress controller documentation :

https://kubernetes.github.io/ingress-nginx/user-guide/ingress-path-matching/

As explained in the documentation :

The ingress controller supports case insensitive regular expressions in the spec.rules.http.paths.path field. This can be enabled by setting the nginx.ingress.kubernetes.io/use-regex annotation to true (the default is false).

So we just need to add this annotation in ingress section into values.yaml file :

ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: "true"
    [...]

Then, the nginx configuration is much better :

kubectl exec -it -n kube-system ingress-nginx-controller-5fb4694678-nvgr5 -- cat /etc/nginx/nginx.conf |grep -B5 '"sentry'
                }

                location ~* "^/api/[1-9][0-9]*/" {

                        set $namespace      "kube-system";
                        set $ingress_name   "sentry";
                        set $service_name   "sentry-relay";
--
                }

                location ~* "^/api/store" {

                        set $namespace      "kube-system";
                        set $ingress_name   "sentry";
                        set $service_name   "sentry-relay";
--
                }

                location ~* "^/" {

                        set $namespace      "kube-system";
                        set $ingress_name   "sentry";
                        set $service_name   "sentry-web";

[Mokto]

Thanks for your help (I'm not using Nginx ingress).

Would this #180 be enough to solve your issue ?

[Mokto]

Fixed through 5.2.1