{"id":352204,"date":"2021-10-13T14:44:04","date_gmt":"2021-10-13T11:44:04","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/"},"modified":"2021-10-13T14:44:04","modified_gmt":"2021-10-13T11:44:04","slug":"how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/","title":{"rendered":"#How to Add HTTP Basic Authentication to a Kubernetes NGINX Ingress \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2e92f234635\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2e92f234635\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/#Creating_an_HTPasswd_file\" >Creating an HTPasswd file<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/#Adding_a_Kubernetes_Secret\" >Adding a Kubernetes Secret<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/#Modifying_Your_Ingress\" >Modifying Your Ingress<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/#Alternative_Secret_Form\" >Alternative Secret Form<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/#More_Advanced_Auth\" >More Advanced Auth<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress-cloudsavvy-it\/#Summary\" >Summary<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Add HTTP Basic Authentication to a Kubernetes NGINX Ingress \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-14259\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/51f36739.jpg?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/51f36739.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/51f36739.jpg?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Photo of the Kubernetes logo showing on a smartphone\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/konskie-poland-december-21-2019-kubernetes-1609677781\">Piotr Swat\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>NGINX Ingress is a popular Kubernetes ingress controller for routing traffic into your cluster. A standard Ingress resource lets you map HTTP requests to your Kubernetes services. Here\u2019s how to protect your routes with HTTP Basic Authentication.<\/p>\n<h2 id=\"creating-an-htpasswd-file\"><span class=\"ez-toc-section\" id=\"Creating_an_HTPasswd_file\"><\/span>Creating an HTPasswd file<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Make sure you\u2019ve got an <code>htpasswd<\/code> file available before you tackle the Kubernetes configuration. You can create a new single user <code>htpasswd<\/code> in your terminal:<\/p>\n<pre>apt install apache2-utils&#13;\nhtpasswd -c auth example-user<\/pre>\n<p>You\u2019ll be prompted to enter the password. A new file called <code>auth<\/code> will be created in your working directory.<\/p>\n<p>Next you need to base64-encode your credentials string so it can be used as a value in a Kubernetes secret:<\/p>\n<pre>cat auth | base64<\/pre>\n<p>Copy the base64-encoded string to your clipboard. We\u2019ll use it in the next section to create a Kubernetes secret containing your credentials.<\/p>\n<h2 id=\"adding-a-kubernetes-secret\"><span class=\"ez-toc-section\" id=\"Adding_a_Kubernetes_Secret\"><\/span>Adding a Kubernetes Secret<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>NGINX Ingress references <code>htpasswd<\/code> files as Kubernetes secrets. The file\u2019s content must be stored in the <code>auth<\/code> key of an <code>Opaque<\/code> secret. Kubernetes also has a built-in <code>basic-auth<\/code> secret type but this isn\u2019t suitable for NGINX Ingress.<\/p>\n<p>Create a new secret manifest and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ly it to your cluster with Kubectl:<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><span class=\"co3\">apiVersion<\/span><span class=\"sy2\">: <\/span>v1<span class=\"co3\">\nkind<\/span><span class=\"sy2\">: <\/span>Secret<span class=\"co3\">\ntype<\/span><span class=\"sy2\">: <\/span>Opaque<span class=\"co4\">\nmetadata<\/span>:<span class=\"co3\">\n  name<\/span><span class=\"sy2\">: <\/span>htpasswd<span class=\"co4\">\ndata<\/span>:<span class=\"co3\">\n  auth<\/span><span class=\"sy2\">: <\/span>&lt;base64-encoded htpasswd file&gt;<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Add your base64-encoded <code>htpasswd<\/code> file as the value of the <code>auth<\/code> key.<\/p>\n<h2 id=\"modifying-your-ingress\"><span class=\"ez-toc-section\" id=\"Modifying_Your_Ingress\"><\/span>Modifying Your Ingress<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>NGINX Ingress supports several custom annotations that let you attach extra behavior to your Ingress resources. To use HTTP Basic Authentication you need to set the <code>auth-type<\/code> annotation and supply a reference to your secret.<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><span class=\"co3\">apiVersion<\/span><span class=\"sy2\">: <\/span>networking.k8s.io\/v1beta1<span class=\"co3\">\nkind<\/span><span class=\"sy2\">: <\/span>Ingress<span class=\"co4\">\nmetadata<\/span>:<span class=\"co3\">\n  name<\/span><span class=\"sy2\">: <\/span>example-ingress<span class=\"co4\">\n  annotations<\/span>:<span class=\"co3\">\n    nginx.ingress.kubernetes.io\/auth-type<\/span><span class=\"sy2\">: <\/span>basic<span class=\"co3\">\n    nginx.ingress.kubernetes.io\/auth-secret<\/span><span class=\"sy2\">: <\/span>htpasswd<span class=\"co3\">\n    nginx.ingress.kubernetes.io\/auth-realm<\/span><span class=\"sy2\">: <\/span><span class=\"st0\">\"Enter your credentials\"<\/span><span class=\"co4\">\nspec<\/span>:<span class=\"co4\">\n  rules<\/span>:<span class=\"co3\">\n    - host<\/span><span class=\"sy2\">: <\/span>example.com<span class=\"co4\">\n      http<\/span>:<span class=\"co4\">\n        paths<\/span>:<span class=\"co3\">\n         - path<\/span><span class=\"sy2\">: <\/span>\/<span class=\"co4\">\n           backend<\/span>:<span class=\"co3\">\n            serviceName<\/span><span class=\"sy2\">: <\/span>example-service<span class=\"co3\">\n            servicePort<\/span><span class=\"sy2\">: <\/span>80<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>The three annotations configure NGINX to require authentication on every request that\u2019s matched by your Ingress resource. The <code>basic<\/code> authentication type is used with the credentials from the <code>htpasswd<\/code> secret created earlier. The <code>auth-realm<\/code> annotation defines the message displayed to users when they\u2019re prompted to enter their credentials.<\/p>\n<p>Requests matched by this Ingress will now require the user to login before they continue. The authentication challenge displays as a popup dialog in most web browsers. Enter the username and password supplied to the <code>htpasswd<\/code> command to authenticate yourself.<\/p>\n<h2 id=\"alternative-secret-form\"><span class=\"ez-toc-section\" id=\"Alternative_Secret_Form\"><\/span>Alternative Secret Form<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The secret shown above uses the <code>auth-file<\/code> format. This means it\u2019s got an <code>auth<\/code> field containing base64-encoded output from the <code>htpasswd<\/code> command.<\/p>\n<p>NGINX Ingress also supports another form termed <code>auth-map<\/code>. In this variation, the <code>auth<\/code> field is replaced by a set of keys that each provide the password for an individual user.<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"yaml\">\n<pre class=\"de1\"><span class=\"co3\">apiVersion<\/span><span class=\"sy2\">: <\/span>v1<span class=\"co3\">\nkind<\/span><span class=\"sy2\">: <\/span>Secret<span class=\"co3\">\ntype<\/span><span class=\"sy2\">: <\/span>Opaque<span class=\"co4\">\nmetadata<\/span>:<span class=\"co3\">\n  name<\/span><span class=\"sy2\">: <\/span>htpasswd<span class=\"co4\">\ndata<\/span>:<span class=\"co3\">\n  user1<\/span><span class=\"sy2\">: <\/span>&lt;base64-encoded password hash from htpasswd&gt;<span class=\"co3\">\n  user2<\/span><span class=\"sy2\">: <\/span>&lt;base64-encoded password hash from htpasswd&gt;<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>Add your usernames to the file, then use <code>htpasswd<\/code> to generate hashed credentials. Inspect the <code>htpasswd<\/code> output; it will have the following format:<\/p>\n<pre>username:&lt;hashed password&gt;<\/pre>\n<p>Take the password part, encode it with the <code>base64<\/code> command, then add the result to your Kubernetes secret.<\/p>\n<p>NGINX will accept logins from any valid username and password combination defined in the secret. This approach can make it easier to set up multiple user accounts and helps you see exactly who\u2019s got access.<\/p>\n<h2 id=\"more-advanced-auth\"><span class=\"ez-toc-section\" id=\"More_Advanced_Auth\"><\/span>More Advanced Auth<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>NGINX Ingress can integrate with external authentication providers if you need more control but want a similarly straightforward set up experience. Using an external auth provider will redirect users to that site before they can access the Service behind your Ingress. This lets you enforce a full authentication routine without touching your backend code.<\/p>\n<p>The <code>nginx.ingress.kubernetes.io\/auth-url<\/code> annotation defines the URL of an external authentication service to use. Kubernetes will forward each incoming request to the service. Access will only be granted to the user when the service returns a <code>200 OK<\/code> status code. The normal flow then continues with the request proceeding into your Kubernetes Service.<\/p>\n<p>When the auth service indicates an error, users will be redirected to the page indicated by the <code>nginx.ingress.kubernetes.io\/auth-signin<\/code> URL. This will receive the original URL to redirect <em>back<\/em> to after a successful authentication attempt as a URL parameter defined with the <code>auth-signin-redirect-param<\/code> annotation.<\/p>\n<p>Several <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/kubernetes.github.io\/ingress-nginx\/user-guide\/nginx-configuration\/annotations\/#external-authentication\">other annotations<\/a> let you tweak NGINX\u2019s behavior when communicating with the authentication platform. You can change the HTTP method used to make authentication requests, add additional headers, and setup caching for auth responses. The latter ensures you\u2019re not continually hitting the external platform if a user makes several requests to your service in a short period of time.<\/p>\n<h2 id=\"summary\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>HTTP Basic Authentication is the simplest way of protecting a website. It\u2019s ideal for internal systems and staging sites where you\u2019re working with a small list of users and don\u2019t need centralized credential management.<\/p>\n<p>Use Basic Auth with NGINX Ingress by supplying credentials in a Kubernetes secret and setting annotations on your Ingress resources. In a real-world use case, you shouldn\u2019t hardcode credentials into your Kubernetes manifests. Either use Helm or a CI\/CD system to safely supply values at the time you apply the resources to your cluster.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14258\/how-to-add-http-basic-authentication-to-a-kubernetes-nginx-ingress\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Add HTTP Basic Authentication to a Kubernetes NGINX Ingress \u2013 CloudSavvy IT&#8221; Piotr Swat\/Shutterstock.com NGINX Ingress is a popular Kubernetes ingress controller for routing traffic into your cluster. A standard Ingress resource lets you map HTTP requests to your Kubernetes services. Here\u2019s how to protect your routes with HTTP Basic Authentication. Creating an&#8230;<\/p>\n","protected":false},"author":1,"featured_media":352205,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/09\/51f36739.jpg","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-352204","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/352204","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=352204"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/352204\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/352205"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=352204"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=352204"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=352204"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}