K
Q

Can't get HTTP basic auth with Google Kubernetes Engien Nginx ingress controller

7/27/2018

According to the Kubernetes docs, the Nginx Ingress Controller supports adding basic authentication. The required Ingress annotations that I'm setting are:

nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: namespace/secret
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"

My ingress controller image is: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11

I cannot find any logs from the ingress controller that would indicate errors, but basic auth is not present. In case it matters, I am using cert-manager to provision Let's Encrypt TLS certificates, which is working nicely.

-- mwcoop17
authentication
docker
kubernetes
nginx

Similar Questions

True LoadBalancing in Kubernetes?
Docker image custom nginx.conf
kubectl - How to edit service spec type to LoadBalancer via command line?
"Ghost" kubernetes pod stuck in terminating

2 Answers

7/30/2018

You can find full articles here or here.

To configure basic authentication on Nginx Ingress there are two things that should be in place:
(I assume you already have ingress controller running on your cluster)

  1. A Secret with a name and content of username/passwords in base64 encoded line should exist: (In this example, the name “basic-auth” is used as a name of the Secret but you can choose any valid name you want.)

    $ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo

$ kubectl create secret generic basic-auth --from-file=auth
secret "basic-auth" created

$ kubectl get secret basic-auth -o yaml
apiVersion: v1
data:
  auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
  name: basic-auth
  namespace: default
type: Opaque

  2. An Ingress object should exist in the same namespace with the Secret:
    (here we use a default namespace for Ingress and Secret )

    echo "
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-with-auth
  annotations:
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: \"Authentication Required - foo\"
spec:
  rules:
  - host: foo.bar.com
    http:
      paths:
      - path: /
        backend:
          serviceName: <your_backend_service_name>
          servicePort: <your_backend_service_port>
" | kubectl create -f -

To verify your configuration check replies using GET request with or without authentication:
(30xxx - get port number from output of the command kubectl get svc --all-namespaces | grep ingress-nginx | grep NodePort)

$ curl -v http://cluster.node.ip.address:30xxx/ -H 'Host: foo.bar.com'
...
< HTTP/1.1 401 Unauthorized
...

$ curl -v http://cluster.node.ip.address:30xxx/ -H 'Host: foo.bar.com' -u 'foo:bar'
...
< HTTP/1.1 200 OK
...

If this works fine, you can add SSL or TLS configuration to your Ingress object then.

-- VAS
Source: StackOverflow
7/27/2018

You are using wrong controller/annotations. These annotations are for https://github.com/kubernetes/ingress-nginx which has this official image

You have examples of how to deploy the controller here

If you want to use gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11, the annotations are:

ingress.kubernetes.io/auth-type: basic
ingress.kubernetes.io/auth-secret: basic-auth
ingress.kubernetes.io/auth-realm: "Authentication Required"
-- Camil
Source: StackOverflow