Basic auth with NGINX Ingress Controller on Kubernetes

Note: This particular post will not try to explain the basics of Kubernetes Ingress controllers.

The NGINX Ingress Controller, provided by F5 (the company that owns NGINX) is not the same thing as the ingress-nginx controller (the ingress provided and…


This content originally appeared on DEV Community and was authored by Jordan Gregory

Note: This particular post will not try to explain the basics of Kubernetes Ingress controllers.

The NGINX Ingress Controller, provided by F5 (the company that owns NGINX) is not the same thing as the ingress-nginx controller (the ingress provided and maintained by the Kubernetes community).

We at Sixgill don't have anything against the ingress-nginx controller, but there are a number of things that the NGINX Ingress Controller does that ingress-nginx does not, and we needed those particular features; if you would like a breakdown of the differences, feel free to request it in the comments, but we feel like F5 did a decent job with this post:
Which NGINX Ingress Controller am I using?

Both options are open source (but the NGINX Ingress Controller has a paid support option).
It's worth noting that the following steps can probably be performed with the ingress-nginx controller as well, but we have not tested it.

With that out of the way, here is what we did to enable BASIC AUTH using the NGINX Ingress Controller by F5.

Assumptions and Necessary Pre-Work

So, the basic assumptions are these:

  1. You have a running Kubernetes cluster that you can access ... somewhere (KinD, minikube, GKE, AKS, EKS, etc...).
  2. You have the NGINX Ingress Controller installed (NGINX Plus is not necessary, but enabling snippets is necessary).

If you do not have the NGINX Ingress Controller installed, just follow the steps in the guides:

The only real pre-work step is that you have to have a valid .htpasswd file to provide to the controller pods.

In our case, we did the following in an Ubuntu container and wrote the output to a Secret which is kind of outside of the scope of this post, but the slightly more manual method is as follows:

apt-get update
apt-get install apache2-utils
htpasswd -c .htpasswd <my_first_user>
<< The utility will ask you to input the password for the user >>

cat .htpasswd

If you need more than a single user, feel free to rinse//repeat the htpasswd -c ... step for as many users as you need.

Then, just copy the contents of that file via cat for later use.

Adding the .htpasswd file to the existing/future NGINX Ingress Controller pods

First, we have to add the contents of the .htpasswd file to either a ConfigMap or a Secret, and given the contents, we chose a Secret, so to do this, we created this resource:

# Contents of htpasswd.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: htpasswd
  namespace: nginx
stringData:
  .htpasswd: |
    << CONTENTS OF .HTPASSWD THAT YOU COPIED FROM PRE-WORK >>

Then, simply apply it using kubectl apply -f htpasswd.yaml, but feel free to call the file whatever you want.

If you happened to save the contents of the .htpasswd to a file before hand, you could have simply run kubectl create secret generic htpasswd -n nginx --from-file=<your_file>.

Now, we have to add this file the NGINX pods. To do this step, we need to get the deployment name that we have to edit:

kubectl get deployments -n nginx

NAME           READY  UP-TO-DATE  AVAILABLE  AGE
nginx-ingress  1/1    1           1          15d

Using this, we can simple edit the resource using the following command:

kubectl edit deployment nginx-ingress -n nginx

The modifications we have to make are as follows:

...
spec:
  ...
  template:
    ...
    spec:
      containers:
      - name: nginx-ingress
        ...
        # THIS IS WHAT WE NEED TO ADD TO THE CONTAINER
        volumeMounts:
        - mountPath: /etc/apache2
          name: htpasswd
        ...
      # AND THIS IS WHAT WE NEED TO ADD TO THE OVERALL SPEC
      volumes:
      - secret:
          defaultMode: 420
          items:
          - key: .htpasswd
            path: .htpasswd
          name: htpasswd
        name: htpasswd
      ...

Note: If you are comfortable with patching Kubernetes resources, that would be a viable alternative to just editing.

Modifying your ingress to use the work

So now, the last step is you modify your ingress to actually use everything we have done up to this point. So again, we need to get the name of your ingress and edit it.

kubectl get ingresses

NAME        CLASS  HOSTS                      ADDRESS  PORTS AGE
my-ingress  nginx  my-service.whatever.myTld  1.2.3.4  80,443  15d

Go ahead and edit your ingress like so:

kubectl edit ingress my-ingress

The only changes we need to make are to the annotations of the ingress, and the annotations we need to add are:

metadata:
  ...
  annotations:
    ...
    # THIS IS THE ADDITION
    nginx.org/server-snippets: |
      auth_basic "my-ingress";
      auth_basic_user_file /etc/apache2/.htpasswd;

Once you save the resource, go ahead and try to access you ingress ... and voila! you are presented with a login popup that we are all so familiar with.


This content originally appeared on DEV Community and was authored by Jordan Gregory


Print Share Comment Cite Upload Translate Updates
APA

Jordan Gregory | Sciencx (2021-05-21T21:52:40+00:00) Basic auth with NGINX Ingress Controller on Kubernetes. Retrieved from https://www.scien.cx/2021/05/21/basic-auth-with-nginx-ingress-controller-on-kubernetes/

MLA
" » Basic auth with NGINX Ingress Controller on Kubernetes." Jordan Gregory | Sciencx - Friday May 21, 2021, https://www.scien.cx/2021/05/21/basic-auth-with-nginx-ingress-controller-on-kubernetes/
HARVARD
Jordan Gregory | Sciencx Friday May 21, 2021 » Basic auth with NGINX Ingress Controller on Kubernetes., viewed ,<https://www.scien.cx/2021/05/21/basic-auth-with-nginx-ingress-controller-on-kubernetes/>
VANCOUVER
Jordan Gregory | Sciencx - » Basic auth with NGINX Ingress Controller on Kubernetes. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2021/05/21/basic-auth-with-nginx-ingress-controller-on-kubernetes/
CHICAGO
" » Basic auth with NGINX Ingress Controller on Kubernetes." Jordan Gregory | Sciencx - Accessed . https://www.scien.cx/2021/05/21/basic-auth-with-nginx-ingress-controller-on-kubernetes/
IEEE
" » Basic auth with NGINX Ingress Controller on Kubernetes." Jordan Gregory | Sciencx [Online]. Available: https://www.scien.cx/2021/05/21/basic-auth-with-nginx-ingress-controller-on-kubernetes/. [Accessed: ]
rf:citation
» Basic auth with NGINX Ingress Controller on Kubernetes | Jordan Gregory | Sciencx | https://www.scien.cx/2021/05/21/basic-auth-with-nginx-ingress-controller-on-kubernetes/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.