No logs or errors for invalid nginx.ingress.kubernetes.io/auth-tls-secret

[cattapan]

What happened:
Ingress had annotation with wrong secret name. Example: nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName
NGINX pod still reloads successfully and all traffic errors out with 403, regardless if nginx.ingress.kubernetes.io/auth-tls-verify-client is off
It shows: "Backend successfully reloaded" in the log file.

What you expected to happen:

1. Error log or error ingress event to be generated, making it clear the secret could not be found/open, etc
2. If the auth-tls-verify-client is off, nothing would happen and that should be ignored.

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       v1.12.1
  Build:         51c2b819690bbf1709b844dbf321a9acf6eda5a7
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

Kubernetes version

Server Version: v1.31.7-eks

Environment:

• Cloud provider or hardware configuration: AWS

• How was the ingress-nginx-controller installed:
  Helm. Chart 4.12.1

• Current state of ingress object, if applicable:
  These annotations are being used:

nginx.ingress.kubernetes.io/auth-tls-match-cn: <redacted>
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: true
nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName
nginx.ingress.kubernetes.io/auth-tls-verify-client: off
nginx.ingress.kubernetes.io/auth-tls-verify-depth: 3
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-passthrough: false

When running curl, I get a 403 back. If I remove the annotation nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName, then I get a 200.

• Others:
  • Any other related information like ;
    • copy/paste of the snippet (if applicable)
    • kubectl describe ... of any custom configmap(s) created and in use
    • Any other related information that may help

How to reproduce this issue:
add the annotation to any ingress nginx.ingress.kubernetes.io/auth-tls-secret: wrongNamespace/wrongSecretName

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.