When using Oathkeeper in decision mode with Nginx Ingress in Kubernetes, you're encountering an issue where Oathkeeper returns a 404 status when no rules match, but Nginx Ingress converts this to a 500 error for the client. This happens because Nginx Ingress typically treats a 404 response from an auth service as an error rather than passing it through. To address this, you have a few options: 1. Configure error handling in Oathkeeper: You can customize how Oathkeeper handles errors, including 404 responses, using error handlers. This allows you to control the response format and status code.

yaml    errors:      fallback:        - json      handlers:        json:          enabled: true          config:            verbose: true

2. Configure Nginx Ingress to handle auth errors differently: In your Nginx Ingress configuration, you can add annotations to control how auth errors are handled. Specifically, you might want to set the

auth-error-page

annotation to handle 404 responses appropriately. 3. Use custom error handling in Nginx Ingress: Nginx Ingress allows you to define custom error pages and behaviors for different status codes. The knowledge sources don't provide specific details on configuring Nginx Ingress to pass through 404 status codes from Oathkeeper's decision API. This is more of an Nginx Ingress configuration issue than an Oathkeeper issue. For Oathkeeper's part, you can ensure it returns consistent and well-formatted error responses using the error handlers as described in the [Oathkeeper Error Handlers documentation](https://www.ory.sh/docs/oathkeeper/pipeline/error). If you need specific Nginx Ingress configuration guidance, you might want to consult Nginx Ingress documentation or support resources.

I apologize, but the knowledge sources provided don't contain specific information about configuring Nginx Ingress annotations like

auth-error-page

to handle 404 responses from Oathkeeper. The documentation I have access to focuses primarily on Ory Oathkeeper's error handling configuration, but doesn't cover the specific Nginx Ingress annotations needed to properly handle auth errors from Oathkeeper in decision mode. What I can show you from the knowledge sources is how Oathkeeper handles errors:

yaml errors:   fallback:     - json    handlers:     redirect:       enabled: true       config:         to: <http://127.0.0.1:4455/login>         when:           - error:               - unauthorized               - forbidden             request:               header:                 accept:                   # We don't want this for application/json requests, only browser requests!                   - text/html     json:       enabled: true       config:         verbose: true

As shown in the [Zero Trust with Access Proxy guide](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#error-handling), this configuration handles errors differently based on the request type. For specific Nginx Ingress annotations to handle auth errors from Oathkeeper, you would need to consult Nginx Ingress documentation as this falls outside the scope of the Ory documentation provided.