🦉
Programming Notes
  • My Programming Notes
  • CKA Exam Preparation
    • Certified Kubernetes Administrator
    • Setup Minikube
    • Network Design Principles
    • Role-Based Access Control (RBAC)
    • Namespace
    • Resource Quota
    • Pod
    • Deployment
    • Deployment: Rollout
    • ConfigMap
    • Service
    • Service: kubectl expose
    • Pod: Resources Management
    • Pod & Container: Quality of Service Class
    • Pod & Container: Probes
    • Limit Range
    • Scaling: Manual
    • Scaling: Horizontal Pod Autoscaler
    • Persistent Volume & Claim
    • Secret
    • Ingress: Routing
    • Ingress: TLS
    • Ingress: Rate Limit
    • Ingress: Basic Auth
    • Ingress: CRD (Custom Resource Definition)
    • Job
    • CronJob
    • Mutli-Node Cluster
  • Golang
    • Generics
    • Context
    • Goroutines and Channels in Go
    • Goroutine: Concurrency vs Parallelism
    • Goroutine: Performance & Tradeoffs
    • JSON: omitzero
  • Rust
    • Arrays & Slices
    • Closures
    • Generics & Traits
    • Iterators
    • Run Code Simultaneously
    • String vs &str
    • Tests
    • Rustlings Exercises
      • Variables
      • Functions
      • If
      • Primitive Types
      • Vectors
      • Move Semantics
      • Structs
      • Enums and Matching Pattern
      • Strings
      • Modules
      • Hashmaps
      • Options
      • Error Handling
      • Generics
      • Traits
      • Lifetimes
      • Tests
      • Iterators
      • Smart Pointers
      • Threads
      • Macros
      • Quiz 1
      • Quiz 2
      • Quiz 3
  • Software Engineering
    • CAP Theorem
    • Circuit Breaker
    • Decoupling
    • GraphQL: Query Caching
    • HMAC Signature
    • Idempotency
    • Monolith VS Microservice
    • OWASP Top 10 2021
    • PCI DSS
    • PostgreSQL: Partitioning
    • PostgreSQL: Replication
    • Protobuf & gRPC
    • Redis: Streams
    • Resource Scaling
    • Signed URL
    • SOLID
    • Stack VS Heap
    • Stateful VS Stateless
  • Site Reliability Engineering
    • Chaos Engineering
    • Distributed Tracing
    • Kubernetes (k8s)
    • SLA, SLO, and SLI Metrics
    • Site Reliability Engineer
  • Others
    • FFMPEG Cheat sheet
Powered by GitBook
On this page
  • Create Basic Auth Secret
  • Configure Ingress
  • References
  1. CKA Exam Preparation

Ingress: Basic Auth

We can secure our ingres setup by adding basic auth.

Create Basic Auth Secret

First we need to create basic auth file using htpasswd. It will ask for a password and confirmation password, then write the credential to file auth.

➜ htpasswd -c auth admin
New password: 
Re-type new password: 
Adding password for user admin

Then we create a secret to store the basic auth credential. This command below will read the auth file and create a secret named ingress-auth.

➜ kubectl create secret generic basic-auth --from-file=auth
secret/basic-auth created

We can see and validate the secret we just create using this command below.

➜ kubectl get secret ingress-auth -o yaml

That will output a yaml format for our ingress-auth secret.

apiVersion: v1
data:
  auth: YWRtaW46JGFwcjEkNXo0b1kvY2wkSEVlRFhaam1jSWkvSkF1V0o1L25BMQo=
kind: Secret
metadata:
  creationTimestamp: "2025-02-02T09:36:06Z"
  name: ingress-auth
  namespace: default
  resourceVersion: "933788"
  uid: 09bf23ec-625a-434b-b39a-4dc528a57b2b
type: Opaque

Configure Ingress

Now with the secret ready we need to configure our ingress. Add this annotations below.

nginx.ingress.kubernetes.io/auth-type: "basic"
nginx.ingress.kubernetes.io/auth-secret: "ingress-auth"
nginx.ingress.kubernetes.io/auth-realm: "Restricted Area"

nginx.ingress.kubernetes.io/auth-type: type of authentication, either basic or digest.

nginx.ingress.kubernetes.io/auth-secret: the name of secret object that contains username and password that we just created. This annotations also support secret reference in other namespace "namespace/secret_name".

nginx.ingress.kubernetes.io/auth-realm: message to display with an appropriate context why the authentication is required.

Lets apply the changes and test using curl. First test without any username password.

curl --resolve "simple-go.mine:443:127.0.0.1" -i -k https://simple-go.mine
HTTP/2 401 
date: Sun, 02 Feb 2025 09:52:43 GMT
content-type: text/html
content-length: 172
www-authenticate: Basic realm="Restricted Area"

<html>
<head><title>401 Authorization Required</title></head>
<body>
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>

We got error 401 Authorization Required for any request without basic auth credentials. We can also see the realm message in the response header.

Next lets test with added basic auth using -u admin. The curl command will ask for password, put the correct password and we should see the ok response.

curl --resolve "simple-go.mine:443:127.0.0.1" -i -k -u admin https://simple-go.mine
Enter host password for user 'admin':
HTTP/2 200 
date: Sun, 02 Feb 2025 09:53:06 GMT
content-type: text/plain; charset=utf-8
content-length: 65

[{"id":1,"content":"Hello!"},{"id":2,"content":"Good Morning!"}]

You can try what happened if you put wrong password.

References

PreviousIngress: Rate LimitNextIngress: CRD (Custom Resource Definition)

Last updated 1 month ago

https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#authentication
https://httpd.apache.org/docs/2.4/programs/htpasswd.html