1. NGINX authentication is essential to secure internal Kubernetes dashboards like Kibana, Prometheus, and Jaeger.
2. You can implement basic authentication in Kubernetes using the NGINX Ingress Controller with a secret and annotations.
3. This guide covers step-by-step methods for setting up NGINX basic auth via CLI and Devtron’s UI.
4. Devtron provides a visual, simplified interface to set up Ingress, secrets, and authentication workflows — ideal for teams practicing GitOps or internal platform engineering.
5. NGINX authentication improves Kubernetes security posture by blocking unauthorized access to internal services.
Introduction
Securing internal dashboards like Kibana, Jaeger, or Prometheus is a crucial part of Kubernetes best practices. This guide walks you through setting up NGINX authentication using basic auth via Kubernetes Ingress, both via CLI and Devtron’s UI. Whether you're automating it in CI/CD or doing one-off setups, this guide has you covered.
Let’s start with setting up the basic application in Kubernetes. There are two ways to achieve this: using the CLI or a Kubernetes Dashboard like Devtron. Let’s implement it both ways, starting with the CLI.
How to Set Up NGINX Basic Authentication via CLI in Kubernetes (Step-by-Step)
Setting up basic authentication with NGINX ingress ensures your internal dashboards remain secure from public access. Here’s how to do it using the CLI:
Step 1: Deploy a Kibana image in Kubernetes
Deploy the Kibana dashboard using the following manifest:
cat <<EOF| kubectl create -f -
apiVersion: v1
kind: Service
metadata:
name: kibana
labels:
app: kibana
spec:
ports:
- port: 5601
name: web
selector:
app: kibana
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana
labels:
app: kibana
spec:
replicas: 1
selector:
matchLabels:
app: kibana
template:
metadata:
labels:
app: kibana
spec:
containers:
- name: Kibana-container
image: docker.elastic.co/kibana/kibana:latest
ports:
- containerPort: 5601Verify the deployment:
kubectl get all
This sets up your service, pods, and deployment for Kibana.
Step 2: Create credentials for basic authentication
Generate a .htpasswd file using Apache's utility:
htpasswd -c auth admin
This creates a file with the username (admin) and a hashed password.
Step 3: Create a Kubernetes Secret
Use the generated auth file to create a Kubernetes secret:
kubectl create secret generic basic-auth --from-file=auth
This secret will be referenced in the Ingress resource for authentication.
Step 4: Create an ingress with annotations
[Note: An Ingress Controller must be deployed in the respective cluster before creating an ingress. Check out this blog for more detailed information on deploying an ingress controller and ingress.]
Here’s the Ingress manifest with NGINX-specific annotations for set up
cat <<EOF | kubectl create -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
name: kibana-ingress
spec:
ingressClassName: nginx
rules:
- host: kibana.devtron.info
http:
paths:
- backend:
service:
name: kibana
port:
name: web
path: /
pathType: Prefix
Congratulations, we have successfully set up the basic auth for the Kibana dashboard, which can be accessed at kibana.devtron.info.
How to Configure NGINX Basic Authentication Using Devtron Dashboard (Step-by-Step)
In this approach, we’ll use Devtron’s Kubernetes Dashboard to set up NGINX authentication visually — no terminal needed.
Step 1: Deploy Kibana Dashboard using the HELM dashboard
- Go to Chart Store
- Search and select
devtron-generic-helm - Paste the YAML manifest and click Deploy
Devtron automatically creates the service, deployment, and related Kubernetes resources.
Step 2: Create credentials
Devtron’s Cluster Terminal Access allows you to execute commands inside the dashboard UI:
2.1: Update the package with - apt update
2.2: Install the utility with the command - apt install apache2-utils
Now, execute the following command: htpasswd -c auth admin
kubectl create secret generic basic-auth --from-file=auth
Step 3: Create Ingress with Authentication
Deploy a custom Ingress YAML with the following annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
Deploy this using the same Helm chart (devtron-generic-helm), or use Devtron’s Manifest tab.
Once you deploy the ingress object, it is healthy, we are ready to access the dashboard, and we are done with authentication.
Step-4: Map Ingress host to public IP
- Get the external IP of your NGINX Ingress controller.
- Add a DNS record pointing
kibana.devtron.infoto the IP.
Now, when you access the dashboard, the browser will prompt for basic auth credentials.
Congratulations! We are done with the basic auth setup for our Kibana dashboard. Similarly, you can set up basic auth for almost any dashboard that doesn’t come with a default authentication mechanism.
Why Use NGINX for Authentication in Kubernetes?
- Lightweight: Basic auth with NGINX doesn’t require any external authentication service.
- Flexible: Works with any Ingress-managed service — Prometheus, Grafana, Kibana, Jaeger, etc.
- Secure: Prevents public access to sensitive dashboards in Kubernetes.
- GitOps-friendly: Easily templatized for CI/CD pipelines using Helm or Devtron.
Conclusion
You’ve now learned how to implement NGINX authentication in Kubernetes using two different approaches:
- CLI-based setup for terminal-friendly users.
- Devtron UI-based setup for teams that prefer visual interfaces and GitOps workflows.
This method is widely applicable for securing any internal dashboard that lacks built-in authentication.
If you liked the blog, feel free to share your views, and do join the Devtron discord community to get the latest updates on Devtron.
Commonly asked questions
What is NGINX authentication in Kubernetes?
It refers to enabling access control using basic auth via annotations in the NGINX Ingress Controller, typically using a secret containing an htpasswd-generated file.
Can I create Ingress authentication without the CLI?
Yes. Devtron allows you to configure secrets and Ingress annotations via its UI, including executing shell commands with Terminal Access.
Is Devtron an Ingress controller?
No. Devtron integrates with popular Ingress controllers like NGINX, helping you manage configurations, annotations, and workloads through a dashboard.
Can I apply the same method to dashboards other than Kibana?
Absolutely. This method applies to any internal tool (like Jaeger, Prometheus, etc.) that doesn't ship with native auth.
