Menu
I am using nginx ingress controller (https://kubernetes.github.io/ingress-nginx/deploy/) on AWS. The backend service (kibana from ECK: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-operator-config.html) uses HTTP basic auth mechanics.
Is there a way to tune nginx so that it appends Authorization: Basic header to every request forwarded to my service so that users won't have to type the password?
This solution did not work for me:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Authorization: Basic encoded_credentals";
as I am still being prompted for a password.
749
Use Basic Auth with NGINX Ingress by supplying credentials in a Kubernetes secret and setting annotations on your Ingress resources. In a real-world use case, you shouldn’t hardcode credentials into your Kubernetes manifests. Either use Helm or a CI/CD system to safely supply values at the time you apply the resources to your cluster.
The three annotations configure NGINX to require authentication on every request that’s matched by your Ingress resource. The basic authentication type is used with the credentials from the htpasswd secret created earlier. The auth-realm annotation defines the message displayed to users when they’re prompted to enter their credentials.
The NGINX Ingress Controller, provided by F5 (the company that owns NGINX) is not the same thing as the ingress-nginx controller (the ingress provided and maintained by the Kubernetes community).
This example shows how to add authentication in a Ingress rule using a secret that contains a file generated with htpasswd. It's important the file generated is named auth (actually-that the secret has a key data.auth), otherwise the ingress-controller returns a 503.
Here is an ingress rule using a secret that contains a file generated with htpasswd. It's important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: http-svc
servicePort: 80
Secret creation
$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo
$ kubectl create secret generic basic-auth --from-file=auth
secret "basic-auth" created
$ kubectl get secret basic-auth -o yaml
apiVersion: v1
data:
auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
name: basic-auth
namespace: default
type: Opaque
Access it using curl and you should get 200 Ok.
$ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar'
Check this example here
60
Solution:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers "Authorization: Basic <based64 user:pass>";
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With