Setup Basic Authentication using Nginx Ingress

TL;DR: The blog provides a brief tutorial on how to set up Basic Auth using Nginx Ingress which can be used for adding a layer of security in any dashboard that doesn't have native authentication mechanisms

2 years ago   •   5 min read

By Rupin Solanki

Introduction

Applying authentication is one of the basic steps for securing the hosted application. For example, Jaeger and Kibana dashboards don’t provide authentication as the default configuration. So we can set up the basic authentication for such applications with the help of Nginx Ingress.

Let’s start with setting up the basic application in Kubernetes. There can be two ways to achieve this, either we use CLI or use Kubernetes Dashboard like Devtron. Let’s try to implement it both ways, starting with CLI.

Basic Auth using CLI

Step-1: Deploy a Kibana image in Kubernetes for the Kibana dashboard

Here’s a sample manifest for deploying the Kibana image. Execute the following command to create a Service and Deployment named kibana.

cat <<EOF| kubectl create -f -
apiVersion: v1
kind: Service
metadata:
  name: kibana
  labels:
    app: kibana
spec:
  ports:
  - port: 5601
    name: web
  selector:    
    app: kibana
---
apiVersion: apps/v1
kind: Deployment
metadata:  
  name: kibana
  labels:
    app: kibana
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kibana
  template:
    metadata:
      labels:
        app: kibana
    spec:
      containers:
      - name: Kibana-container
        image: docker.elastic.co/kibana/kibana:latest
        ports:
        - containerPort: 5601

Once the application is created, we can verify the pod and service using the following command -
kubectl get all
It will list down all the Kubernetes resources created.

Step-2: Create credentials for basic authentication

Create credentials with the help of htpasswd. You can use any other tool or manually provide the username and password in a file which would be further used for creating a generic secret for auth.
Execute the following command to create a file with credentials. Here’s the syntax of the command - htpasswd -c <file-name> <username>

htpasswd -c auth admin

Step-3:  Now using the file created, we need to create a secret that would be used for authentication. Execute the following command to create a secret.

kubectl  create secret generic basic-auth --from-file=auth


Step-4: Create an ingress and add the basic authentication annotations in the ingress file.

[Note: An Ingress Controller must be deployed in the respective cluster before creating an ingress. For more detailed information on deploying an ingress controller and ingress, please look at this blog.]

Here's the sample ingress that we will create with the hostname kibana.devtron.info. Execute the following command to create an ingress with specified annotations.

cat <<EOF | kubectl create -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    # type of authentication
    nginx.ingress.kubernetes.io/auth-type: basic
    # name of the secret that contains the user/password definitions
    nginx.ingress.kubernetes.io/auth-secret: basic-auth
    # message to display with an appropriate context why the authentication is required
    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
  name: kibana-ingress
spec:  
  ingressClassName: nginx
  rules:
  - host: kibana.devtron.info
    http:
      paths:
      - backend:
          service:
            name: kibana
            port:
              name: web
        path: /
        pathType: Prefix

Congratulations, we have successfully setup the basic auth for the Kibana dashboard using, which can be accessed at kibana.devtron.info.

basic auth setup

Basic Auth using Devtron

In the previous method, we used CLI for all our operations and deployed a kibana dashboard deployment. In this approach, we will use Devtron and perform all the operations from the intuitive user interface provided by Devtron for all Kubernetes operations.

Step 1: Deploy Kibana Dashboard using HELM dashboard

Deploy the same Kibana dashboard using the devtron helm dashboard. Navigate to Chart-store, search for devtron-generic-helm, and click on configure & deploy and provide the entire YAML as shown below in the image. To learn how to deploy any helm chart using the helm dashboard, look at this blog.

helm app - devtron

After giving the manifest click on Deploy chart button at the bottom right and  it will take you to App Details the tab where you can check out all the details of the deployed chart, k8s workloads deployed along with it, services, manifests, logs of pods, etc as you can see in the image below.

helm chart deployment

Step 2: Create credentials

Now we will create credentials for basic authentication with the help of htpasswd and that too using the Devtron dashboard. Recently Devtron has launched a feature called Cluster Terminal Access wherein you can access your k8s cluster and fire all your kubectl commands from the dashboard itself.

For this, we have to install the htpasswd utility. Follow the below steps to install the htpasswd or any other tool.

2.1: Update the package with - apt update

cluster access terminal - package update

2.2: Install the utility with the command - apt install apache2-utils

installing apache2 utilities

Now, Execute the following command:
htpasswd -c auth admin

cluster access terminal - htpasswd


It's important the file generated is named auth (actually - that the secret has key data.auth), otherwise the ingress-controller returns a 503.
Now let’s create a generic secret from the auth file that contains the credentials.
kubectl  create secret generic basic-auth —from-file=auth

cluster access terminal

Step-3: Create Ingress with Authentication

Create an ingress and add basic authentication annotations in ingress YAML.

We have already deployed the ingress controller with a class name nginx so let’s provide these annotations and click on Deploy Chart. Here as well we are using the same devtron-generic-helm chart for our custom ingress.yaml that we used in the first approach.

nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
setting up basic auth on ingress

Once you deploy the ingress object is healthy, we are ready to access the dashboard and we are done with authentication.

Step-4: Map Ingress host to public IP

Now we map the ingress host kibana.devtron.info with the public IP address of the Nginx ingress controller in your DNS management. Now if you try to access the host, it will ask for a username and password as you can see in the below image

auth setup for kibana

Congratulations! We are done with the basic auth setup for our Kibana dashboard. Similarly, you can set up basic auth for almost any dashboard that doesn’t come in with a default authentication mechanism.

If you liked the blog, feel free to share your views and do join the Devtron discord community to get the latest updates on Devtron.

visibility-guide

Spread the word