Nginx作为kubernetes的身份验证代理

我正在尝试将nginx设置为kubernetes的身份验证代理。身份验证终结点在以逗号分隔的单个标头中返回用户的所有组(X-Groups=Group1，Group2(。但 kubernetes 希望每个组都在一个单独的标头中。如何用逗号拆分此标头值并添加具有相同标头名称的每个值？

以下是nginx服务器块(这是一个自包含的示例，它确实调用了虚拟端点而不是k8s api来验证代理是否传递了正确的标头(

server {
listen  80 default_server;
location /backend {
default_type application/json;
return 200 '{"user": "$http_x_remote_user", "groups", "$http_x_remote_groups"}';
}
}
server {
listen  443 ssl default_server;
location / {
auth_request /_auth;
auth_request_set $user $upstream_http_x_user;
auth_request_set $groups $upstream_http_x_groups;
proxy_pass http://localhost/backend;
proxy_set_header X-Remote-User $user;
proxy_set_header X-Remote-Groups $groups; # instead of this line I want to put some code which iterates on $groups variable value and add X-Remote-Group header for each of the value
}
location /_auth {
internal;
proxy_pass http://authentication_endpoint/login; # this returns X-User and X-Groups headers with a 200 status code for successful authentication)
proxy_pass_request_body off;
proxy_set_header        Content-Length "";
proxy_set_header X-Remote-User $ssl_client_s_dn;
}
ssl_certificate_key "/certs/server.key";
ssl_certificate "/certs/server.crt";
# this is required for verifying client certificate
ssl_verify_client       on;
ssl_client_certificate "/certs/ca.crt";
ssl_session_timeout  10m;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
}