K
Q

external-auth annotation: Is it okay to have a username and password in the url?

8/13/2019

Is ingress-nginx's external-auth secure when using an external service like httpbin? The example connects to https://httpbin.org/basic-auth/user/passwd with the user and password inside of the URL.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd

It seems to work fine when I try it myself. (read: when inspecting with curl, I cannot see this url) but maybe I'm missing something.

Is this secure for a production environment?

Reference: https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/

-- Nick
kubernetes
nginx-ingress

Similar Questions

kubectl command for finding top memory consuming pods per node
I got a message "no metrics known for pod" when I deploy kubernetes-metric-server
Referencing Helm Redis master from another pod within Kubernetes
Fix "The credentials supplied to the package were not recognized" when calling K8S API
Helm create secret from env file
How to exclude istios side-car container logs from fluentbit

1 Answer

8/13/2019

General.
It is never ok to put username and password in GET URL in any environment. It should be post and that to encrypted.

To your problem.
Basic auth is just as FYI.. Use oauth which is pretty common.

https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

-- yogesh kunjir
Source: StackOverflow