How to Set Up NGINX Basic Authentication on Kubernetes Using Ingress

TL;DR: The blog provides a brief tutorial on how to set up Basic Auth using Nginx Ingress which can be used for adding a layer of security in any dashboard that doesn't have native authentication mechanisms

Table of contents

Introduction

Securing internal dashboards like Kibana, Jaeger, or Prometheus is a crucial part of Kubernetes best practices. This guide walks you through setting up NGINX authentication (basic auth) using Ingress — both via CLI and through Devtron’s UI. Whether you're automating it in CI/CD or doing one-off setups, this guide has you covered.

Let’s start with setting up the basic application in Kubernetes. There can be two ways to achieve this, either we use CLI or use Kubernetes Dashboard like Devtron. Let’s try to implement it both ways, starting with CLI.

How to Set Up NGINX Basic Authentication via CLI in Kubernetes (Step-by-Step) 

First let us take a look at how a step by step process to set up a basic Nginx Authentication using the Kubernetes CLI.

Step 1: Deploy a Kibana image in Kubernetes

Here’s a sample manifest for deploying the Kibana image. Execute the following command to create a Service and Deployment named kibana.

cat <<EOF| kubectl create -f -
apiVersion: v1
kind: Service
metadata:
  name: kibana
  labels:
    app: kibana
spec:
  ports:
  - port: 5601
    name: web
  selector:    
    app: kibana
---
apiVersion: apps/v1
kind: Deployment
metadata:  
  name: kibana
  labels:
    app: kibana
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kibana
  template:
    metadata:
      labels:
        app: kibana
    spec:
      containers:
      - name: Kibana-container
        image: docker.elastic.co/kibana/kibana:latest
        ports:
        - containerPort: 5601

Once the application is created, we can verify the pod and service using the following command -
kubectl get all
It will list down all the Kubernetes resources created.

Step 2: Create credentials for basic authentication

Create credentials with the help of htpasswd. You can use any other tool or manually provide the username and password in a file, which would be further used for creating a generic secret for auth.
Execute the following command to create a file with credentials. Here’s the syntax of the command - htpasswd -c <file-name> <username>

htpasswd -c auth admin

Create credentials for basic authentication

Step 3: Create a Kubernetes Secret

Now using the file created, we need to create a secret that would be used for authentication. Execute the following command to create a secret.

kubectl create secret generic basic-auth --from-file=auth

Create a Kubernetes Secret


Step 4: Create an ingress with annotations

[Note: An Ingress Controller must be deployed in the respective cluster before creating an ingress. Check out this blog for more detailed information on deploying an ingress controller and ingress.]

Here's the sample ingress that we will create with the hostname kibana.devtron.info. Execute the following command to create an ingress with specified annotations.

cat <<EOF | kubectl create -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
  name: kibana-ingress
spec:  
  ingressClassName: nginx
  rules:
  - host: kibana.devtron.info
    http:
      paths:
      - backend:
          service:
            name: kibana
            port:
              name: web
        path: /
        pathType: Prefix

Congratulations, we have successfully setup the basic auth for the Kibana dashboard using, which can be accessed at kibana.devtron.info.

basic auth setup

How to Configure NGINX Basic Authentication Using Devtron Dashboard (Step-by-Step)

In the previous method, we used CLI for all our operations and deployed a Kibana dashboard. In this approach, we will use Devtron and perform all the operations from the intuitive user interface provided by Devtron for all Kubernetes operations.

Step 1: Deploy Kibana Dashboard using the HELM dashboard

Deploy the same Kibana dashboard using the devtron helm dashboard. Navigate to Chart-store, search for devtron-generic-helm, and click on configure & deploy and provide the entire YAML as shown below in the image. To learn how to deploy any helm chart using the helm dashboard, look at this blog.

helm app - devtron

After giving the manifest click on Deploy chart button at the bottom right and it will take you to App Details the tab where you can check out all the details of the deployed chart, k8s workloads deployed along with it, services, manifests, logs of pods, etc as you can see in the image below.

helm chart deployment

Step 2: Create credentials

Now we will create credentials for basic authentication with the help of htpasswd and that too using the Devtron dashboard. Recently Devtron has launched a feature called Cluster Terminal Access wherein you can access your k8s cluster and fire all your kubectl commands from the dashboard itself.

For this, we have to install the htpasswd utility. Follow the below steps to install the htpasswd or any other tool.

2.1: Update the package with - apt update

cluster access terminal - package update

2.2: Install the utility with the command - apt install apache2-utils

installing apache2 utilities

Now, Execute the following command:
htpasswd -c auth admin

cluster access terminal - htpasswd


It's important the file generated is named auth (actually - that the secret has key data.auth), otherwise the ingress-controller returns a 503.
Now let’s create a generic secret from the auth file that contains the credentials.
kubectl create secret generic basic-auth —from-file=auth

cluster access terminal

Step 3: Create Ingress with Authentication

Create an ingress and add basic authentication annotations in ingress YAML.

We have already deployed the ingress controller with a class name nginx so let’s provide these annotations and click on Deploy Chart. Here as well we are using the same devtron-generic-helm chart for our custom ingress.yaml that we used in the first approach.

nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
setting up basic authentication on ingress

Once you deploy the ingress object is healthy, we are ready to access the dashboard and we are done with authentication.

Step-4: Map Ingress host to public IP

Now we map the ingress host kibana.devtron.info with the public IP address of the Nginx ingress controller in your DNS management. Now if you try to access the host, it will ask for a username and password as you can see in the below image

auth setup for kibana

Congratulations! We are done with the basic auth setup for our Kibana dashboard. Similarly, you can set up basic auth for almost any dashboard that doesn’t come with a default authentication mechanism.

If you liked the blog, feel free to share your views, and do join the Devtron discord community to get the latest updates on Devtron.

Commonly asked questions

What is NGINX authentication in Kubernetes?

It refers to enabling access control using basic auth via annotations in the NGINX Ingress Controller, typically using a secret containing an htpasswd-generated file.

Can I create Ingress authentication without the CLI?

Yes. Devtron allows you to configure secrets and Ingress annotations via its UI, including executing shell commands with Terminal Access.

 Is Devtron an Ingress controller?

No. Devtron integrates with popular Ingress controllers like NGINX, helping you manage configurations, annotations, and workloads through a dashboard.

Can I apply the same method to dashboards other than Kibana?

Absolutely. This method applies to any internal tool (like Jaeger, Prometheus, etc.) that doesn't ship with native auth.

visibility-guide

Related articles

Related articles