Is ingress-nginx's external-auth secure when using an external service like httpbin? The example connects to https://httpbin.org/basic-auth/user/passwd with the user and password inside of the URL.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd
It seems to work fine when I try it myself. (read: when inspecting with curl, I cannot see this url) but maybe I'm missing something.
Is this secure for a production environment?
Reference: https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/
General.
It is never ok to put username and password in GET URL in any environment. It should be post and that to encrypted.
To your problem.
Basic auth is just as FYI.. Use oauth which is pretty common.
https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/