Use one oauth2_proxy instance with many ingress paths?

Question

I am running an app in a kubernetes service on Azure and have had it set up with an NGINX ingress controller and a public IP address with a FQDN. This was all working fine.
I then wanted to add security through using the oauth2-proxy for third party sign-in. I would like to keep my setup to one ingress-controller and one oauth2_proxy per namespace, with multiple apps running together. As Azure does not support the use of sub-domains for this I have been using paths to route to the correct app. I've seen examples, like this, on how to use one oauth2_proxy for multiple sub-domains but is it possible to get it working with multiple paths instead?

Setup
This is the current working setup with only one app, located on root /. I would like to switch to an app specific path and the ability to run multiple apps on different paths. eg. /my-app, /another-app etc.

oauth2-proxy-config.yaml

config:
  existingSecret: oauth2-proxy-creds

extraArgs:
  whitelist-domain: my-fqdn.uksouth.cloudapp.azure.com
  cookie-domain: my-fqdn.uksouth.cloudapp.azure.com
  email-domain: example.com
  provider: github

ingress:
  enabled: true
  path: /oauth2
  hosts:
    - my-fqdn.uksouth.cloudapp.azure.com
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod # cert-manager cluster issuer set up for Let's Encrypt
  tls:
    - secretName: my-fqdn-tls # TLS generated by letsencrypt-prod
      hosts:
        - my-fqdn.uksouth.cloudapp.azure.com

This is installed with the following helm command

helm upgrade oauth2-proxy --install stable/oauth2-proxy --namespace $NAMESPACE --reuse-values --values oauth2-proxy-config.yaml

app-ingress.yaml

apiVersion: networking.k8s.io/v1beta1 # for versions before 1.14 use extensions/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
#    nginx.ingress.kubernetes.io/rewrite-target: /$2 # Not working with the /oauth2 path and not needed when using root path for the app
    nginx.ingress.kubernetes.io/auth-url: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/start?rd=https%3A%2F%2F$host$request_uri"
spec:
  tls:
  - secretName: my-fqdn-tls
    hosts:
    - my-fqdn.uksouth.cloudapp.azure.com
  rules:
  - host: my-fqdn.uksouth.cloudapp.azure.com
    http:
      paths:
      - path: / # I would like to be able to use something like '/path1(/|$)(.*)' instead of root.
        backend:
          serviceName: my-app
          servicePort: 80

Answer 1

Sure, it's doable with multiple ingress paths inside single Ingress resource definition, please check this working example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  labels:
    app: hello-worlds
  name: hello-wrolds
  annotations:
    cert-manager.io/issuer: selfsigned-issuer
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-signin: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/start?rd=$escaped_request_uri"
    nginx.ingress.kubernetes.io/auth-url: "https://my-fqdn.uksouth.cloudapp.azure.com/oauth2/auth"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  rules:
    - host: my-fqdn.uksouth.cloudapp.azure.com
      http:
        paths:
          - path: /my-app/(.*)
            backend:
              serviceName: my-app
              servicePort: 5000
          - path: /another-app/(.*)
            backend:
              serviceName: another-app
              servicePort: 5000    
  tls:
    - hosts:
      - my-fqdn.uksouth.cloudapp.azure.com
      secretName: certmgr-selfsign-tls-requires-ouath

In my case, for both backends the app root folder is '/hello', so the requested URL is respectively:

https://my-fqdn.uksouth.cloudapp.azure.com/my-app/hello

https://my-fqdn.uksouth.cloudapp.azure.com/another-app/hello