9

I am using nginx ingress controller (https://kubernetes.github.io/ingress-nginx/deploy/) on AWS. The backend service (kibana from ECK: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-operator-config.html) uses HTTP basic auth mechanics.

Is there a way to tune nginx so that it appends Authorization: Basic header to every request forwarded to my service so that users won't have to type the password?

This solution did not work for me:

nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "Authorization: Basic encoded_credentals";

as I am still being prompted for a password.

Improve this question
0

2 Answers 2

Reset to default
13

Here is an ingress rule using a secret that contains a file generated with htpasswd. It's important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - path: /
        backend:
          serviceName: http-svc
          servicePort: 80

Secret creation

$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo
$ kubectl create secret generic basic-auth --from-file=auth
secret "basic-auth" created
$ kubectl get secret basic-auth -o yaml
apiVersion: v1
data:
  auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
  name: basic-auth
  namespace: default
type: Opaque

Access it using curl and you should get 200 Ok.

$ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar'

Check this example here

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This adds an authentication layer which is exactly the opposite to what I am trying to accomplish.
Okay maybe I have misunderstood it...if the user is not entering the password from where you want the password to be coming?
7

Solution:

nginx.ingress.kubernetes.io/configuration-snippet: |
    more_set_input_headers "Authorization: Basic <based64 user:pass>";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.