bug: admission webhook denies auth-url with comma

What happened: Tried to use nginx.ingress.kubernetes.io/auth-url: with oauth2-proxy and several allowed groups: https://oauth.example/oauth2/auth?allowed_groups=gid1,gid2 after oauth2-proxy documentation in an existing ingress.

This gave the error message: error: ingresses.networking.k8s.io "tp-ingress-nessus-feature" could not be patched: admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: annotation nginx.ingress.kubernetes.io/auth-url contains invalid value

I get the same error with \ in front of the comma, like so: nginx.ingress.kubernetes.io/auth-url: https://oauth.example/oauth2/auth?allowed_groups=gid1\,gid2

It is not allowed in encoded form either: %2C.

It works without a comma.

I believe you will need to update the validating regex for the auth-url annotation: https://github.com/kubernetes/ingress-nginx/blob/fd7e02b97617d7869f583ff0182a893d5ac61d7f/internal/ingress/annotations/authreq/main.go#L60

The current one only allows :?&= https://github.com/kubernetes/ingress-nginx/blob/fd7e02b97617d7869f583ff0182a893d5ac61d7f/internal/ingress/annotations/parser/validators.go#L47

What you expected to happen: The ingress should have been updated.

NGINX Ingress controller version: NGINX Ingress controller Release: v1.9.4 Build: 846d2518 Repository: https://github.com/kubernetes/ingress-nginx nginx version: nginx/1.21.6

Kubernetes version (use kubectl version): Server Version: v1.27.9

How to reproduce this issue: Create an ingress with the nginx.ingress.kubernetes.io/auth-url: annotation, add a comma in a query parameter.

Install minikube/kind

• Minikube https://minikube.sigs.k8s.io/docs/start/
• Kind https://kind.sigs.k8s.io/docs/user/quick-start/

Install the ingress controller

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

Install an application that will act as default backend (is just an echo app)

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml

Create an ingress (please add any additional annotation required)

echo " apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: foo-bar annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/auth-url: https://oauth.example/oauth2/auth?allowed_groups=g1,g2 spec: ingressClassName: nginx # omit this if you're on controller version below 1.0.0 rules: - host: foo.bar http: paths: - path: / pathType: Prefix backend: service: name: http-svc port: number: 80 " | kubectl apply -f -