I am using nginx ingress controller (https://kubernetes.github.io/ingress-nginx/deploy/) on AWS. The backend service (kibana from ECK: https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-operator-config.html) uses HTTP basic auth mechanics.
Is there a way to tune nginx so that it appends Authorization: Basic header to every request forwarded to my service so that users won't have to type the password?
This solution did not work for me:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Authorization: Basic encoded_credentals";as I am still being prompted for a password.
Solution:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers "Authorization: Basic <based64 user:pass>";Here is an ingress rule using a secret that contains a file generated with htpasswd. It's important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ingress-with-auth
annotations:
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - foo'
spec:
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: http-svc
servicePort: 80Secret creation
$ htpasswd -c auth foo
New password: <bar>
New password:
Re-type new password:
Adding password for user foo
$ kubectl create secret generic basic-auth --from-file=auth
secret "basic-auth" created
$ kubectl get secret basic-auth -o yaml
apiVersion: v1
data:
auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
name: basic-auth
namespace: default
type: OpaqueAccess it using curl and you should get 200 Ok.
$ curl -v http://10.2.29.4/ -H 'Host: foo.bar.com' -u 'foo:bar'Check this example here