We need to create basic (username/password) authentication for elasticsearch and kibana oss (Apache license) running into our kubernetes clusters. We have multi-cloud installations in AWS (EKS), Google cloud (GKE), on-premise installations and we plan to use Azure.
I think about nginx reverse proxy with basic authentication running as sidecar container in each elasticsearch/kibana pod. This is will be a simple and known solution.
The question is: What is be the right solution in k8s cluster? What we can take from an infinite number of solutions for easy maintenance?
Well if you are using nginx ingress controller you can add basic auth like this:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: kibana
namespace: kibana
annotations:
kubernetes.io/ingress.class: "nginx"
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: my-secret-basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - kibana-admin'
...
...
The my-secret-basic-auth have to be created with htpasswd:
$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user fooThen you need to create the secret:
$ kubectl create secret generic my-secret-basic-auth --from-file=auth
secret "my-secret-basic-auth" createdThat's simple and easy to maintain but you will be attach to nginx ingress controller forever.