Introduction
Applying authentication is one of the basic steps for securing the hosted application. For example, Jaeger and Kibana dashboards don’t provide authentication as the default configuration. So we can set up the basic authentication for such applications with the help of Nginx Ingress.
Let’s start with setting up the basic application in Kubernetes. There can be two ways to achieve this, either we use CLI or use Kubernetes Dashboard like Devtron. Let’s try to implement it both ways, starting with CLI.
Basic Auth using CLI
Step-1: Deploy a Kibana image in Kubernetes for the Kibana dashboard
Here’s a sample manifest for deploying the Kibana image. Execute the following command to create a Service and Deployment named kibana
.
cat <<EOF| kubectl create -f -
apiVersion: v1
kind: Service
metadata:
name: kibana
labels:
app: kibana
spec:
ports:
- port: 5601
name: web
selector:
app: kibana
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana
labels:
app: kibana
spec:
replicas: 1
selector:
matchLabels:
app: kibana
template:
metadata:
labels:
app: kibana
spec:
containers:
- name: Kibana-container
image: docker.elastic.co/kibana/kibana:latest
ports:
- containerPort: 5601
Once the application is created, we can verify the pod and service using the following command -
kubectl get all
It will list down all the Kubernetes resources created.
Step-2: Create credentials for basic authentication
Create credentials with the help of htpasswd. You can use any other tool or manually provide the username and password in a file which would be further used for creating a generic secret for auth.
Execute the following command to create a file with credentials. Here’s the syntax of the command - htpasswd -c <file-name> <username>
htpasswd -c auth admin
Step-3: Now using the file created, we need to create a secret that would be used for authentication. Execute the following command to create a secret.
kubectl create secret generic basic-auth --from-file=auth
Step-4: Create an ingress and add the basic authentication annotations in the ingress file.
[Note: An Ingress Controller must be deployed in the respective cluster before creating an ingress. For more detailed information on deploying an ingress controller and ingress, please look at this blog.]
Here's the sample ingress that we will create with the hostname kibana.devtron.info
. Execute the following command to create an ingress with specified annotations.
cat <<EOF | kubectl create -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
name: kibana-ingress
spec:
ingressClassName: nginx
rules:
- host: kibana.devtron.info
http:
paths:
- backend:
service:
name: kibana
port:
name: web
path: /
pathType: Prefix
Congratulations, we have successfully setup the basic auth for the Kibana dashboard using, which can be accessed at kibana.devtron.info
.
Basic Auth using Devtron
In the previous method, we used CLI for all our operations and deployed a kibana dashboard deployment. In this approach, we will use Devtron and perform all the operations from the intuitive user interface provided by Devtron for all Kubernetes operations.
Step 1: Deploy Kibana Dashboard using HELM dashboard
Deploy the same Kibana dashboard using the devtron helm dashboard. Navigate to Chart-store, search for devtron-generic-helm
, and click on configure & deploy
and provide the entire YAML as shown below in the image. To learn how to deploy any helm chart using the helm dashboard, look at this blog.
After giving the manifest click on Deploy chart
button at the bottom right and it will take you to App Details
the tab where you can check out all the details of the deployed chart, k8s workloads deployed along with it, services, manifests, logs of pods, etc as you can see in the image below.
Step 2: Create credentials
Now we will create credentials for basic authentication with the help of htpasswd and that too using the Devtron dashboard. Recently Devtron has launched a feature called Cluster Terminal Access wherein you can access your k8s cluster and fire all your kubectl commands from the dashboard itself.
For this, we have to install the htpasswd
utility. Follow the below steps to install the htpasswd or any other tool.
2.1: Update the package with - apt update
2.2: Install the utility with the command - apt install apache2-utils
Now, Execute the following command: htpasswd -c auth admin
It's important the file generated is named auth (actually - that the secret has key data.auth), otherwise the ingress-controller returns a 503.
Now let’s create a generic secret from the auth file that contains the credentials.
kubectl create secret generic basic-auth —from-file=auth
Step-3: Create Ingress with Authentication
Create an ingress and add basic authentication annotations in ingress YAML.
We have already deployed the ingress controller with a class name nginx
so let’s provide these annotations and click on Deploy Chart. Here as well we are using the same devtron-generic-helm
chart for our custom ingress.yaml
that we used in the first approach.
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
Once you deploy the ingress object is healthy, we are ready to access the dashboard and we are done with authentication.
Step-4: Map Ingress host to public IP
Now we map the ingress host kibana.devtron.info
with the public IP address of the Nginx ingress controller in your DNS management. Now if you try to access the host, it will ask for a username and password as you can see in the below image
Congratulations! We are done with the basic auth setup for our Kibana dashboard. Similarly, you can set up basic auth for almost any dashboard that doesn’t come in with a default authentication mechanism.
If you liked the blog, feel free to share your views and do join the Devtron discord community to get the latest updates on Devtron.