K
Q

K8s -> nginx Ingress: SSO

3/21/2019

I have a service that has HTTP Basic Auth. In front of it I have nginx Ingress, who also has basic-auth. How can I attach Authorization header with the credentials after Sign In with the Ingress, to achieve Single-Sign-On?

This is the configuration of my Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
    nginx.ingress.kubernetes.io/auth-secret: kibana-user-basic-auth
    nginx.ingress.kubernetes.io/auth-type: basic
  name: kibana-user
  namespace: {{.Release.Namespace}}
spec:
  tls:
  - secretName: kibana-tls
    hosts:
    - {{.Values.ingress.user.host}}
  rules:
  - host: {{.Values.ingress.user.host}}
    http:
      paths:
      - backend:
          serviceName: kibana-logging
          servicePort: {{ .Values.kibana.service.internalPort }}
        path: /
-- Kristian
authentication
kubernetes
nginx-ingress
single-sign-on

Similar Questions

Add or edit label on existing node pool in GKE
Why don't Kubernetes deployments support services?
Kubernetes: update configMap with custom resources
Emulate Google Cloud Storage in local/dev kubernetes cluster
Grafana Pod is in Init Error state after adding an existing PVC
Kubernetes podAntiAffinity affects deployment - FailedScheduling - didn't match pod affinity/anti-affinity
Calico `Socket error: bind: Address not available` after Gitlab kube runner job
How to create custom objects in Kubernetes?
How to install kube-apiserver on centos?

2 Answers

3/22/2019

I guess that you can propagate Authorization header within nginx.ingress.kubernetes.io/auth-response-headers annotation:

nginx.ingress.kubernetes.io/auth-response-headers: Authorization

Or, alternative way you can achieve the same approach by applying proxy_set_header inside the target Ingress location via configuration snippet annotation as described here:

annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
        proxy_set_header Authorization "Basic base64 encode value";
-- mk_sta
Source: StackOverflow
3/28/2019

You could use the annotation nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header Authorization $http_authorization; to forward the Authorization header to the back end service.

The Ingress resource should looks like this

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-realm: Authentication Required
    nginx.ingress.kubernetes.io/auth-secret: kibana-user-basic-auth
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header Authorization $http_authorization;"
  name: kibana-user
  namespace: {{.Release.Namespace}}
spec:
  tls:
  - secretName: kibana-tls
    hosts:
    - {{.Values.ingress.user.host}}
  rules:
  - host: {{.Values.ingress.user.host}}
    http:
      paths:
      - backend:
          serviceName: kibana-logging
          servicePort: {{ .Values.kibana.service.internalPort }}
        path: /
-- Владимир Начев
Source: StackOverflow