NGINX Ingress Controller 4.11.5 Not Forwarding Authorization Header Despite Configuration

[mezzinea]

Description
After upgrading from NGINX Ingress Controller 4.7.1 to 4.11.5, Basic Authentication headers are not being forwarded to the backend FastAPI application, despite explicit configuration. The headers work when NGINX auth is disabled.

Current Behavior

• With auth annotations enabled, requests to backend return 401
• $http_authorization appears empty in forwarded requests proxy_set_header Authorization ""; inside nginx.conf file
• Works perfectly when removing NGINX auth annotations

Expected Behavior
NGINX should forward original Authorization header after performing its own authentication.

Reproduction Steps

1. Apply this ingress configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret-type: auth-map
    nginx.ingress.kubernetes.io/auth-realm: Auth Required - ProfilesAPI
    nginx.ingress.kubernetes.io/auth-secret: ns/secret
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_set_header Authorization $http_authorization;
      proxy_pass_header Authorization;

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mezzinea]

Snippet annotations are disabled by default in recent NGINX Ingress Controller versions for security reasons.
Solution : add allow-snippet-annotations: "true" to configMap