Introduction
Securing internal dashboards like Kibana, Jaeger, or Prometheus is a crucial part of Kubernetes best practices. This guide walks you through setting up NGINX authentication (basic auth) using Ingress — both via CLI and through Devtron’s UI. Whether you're automating it in CI/CD or doing one-off setups, this guide has you covered.
Let’s start with setting up the basic application in Kubernetes. There can be two ways to achieve this, either we use CLI or use Kubernetes Dashboard like Devtron. Let’s try to implement it both ways, starting with CLI.
How to Set Up NGINX Basic Authentication via CLI in Kubernetes (Step-by-Step)
First let us take a look at how a step by step process to set up a basic Nginx Authentication using the Kubernetes CLI.
Step 1: Deploy a Kibana image in Kubernetes
Here’s a sample manifest for deploying the Kibana image. Execute the following command to create a Service and Deployment named kibana
.
cat <<EOF| kubectl create -f -
apiVersion: v1
kind: Service
metadata:
name: kibana
labels:
app: kibana
spec:
ports:
- port: 5601
name: web
selector:
app: kibana
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana
labels:
app: kibana
spec:
replicas: 1
selector:
matchLabels:
app: kibana
template:
metadata:
labels:
app: kibana
spec:
containers:
- name: Kibana-container
image: docker.elastic.co/kibana/kibana:latest
ports:
- containerPort: 5601
Once the application is created, we can verify the pod and service using the following command -
kubectl get all
It will list down all the Kubernetes resources created.
Step 2: Create credentials for basic authentication
Create credentials with the help of htpasswd. You can use any other tool or manually provide the username and password in a file, which would be further used for creating a generic secret for auth.
Execute the following command to create a file with credentials. Here’s the syntax of the command - htpasswd -c <file-name> <username>
htpasswd -c auth admin
Step 3: Create a Kubernetes Secret
Now using the file created, we need to create a secret that would be used for authentication. Execute the following command to create a secret.
kubectl create secret generic basic-auth --from-file=auth
Step 4: Create an ingress with annotations
[Note: An Ingress Controller must be deployed in the respective cluster before creating an ingress. Check out this blog for more detailed information on deploying an ingress controller and ingress.]
Here's the sample ingress that we will create with the hostname kibana.devtron.info
. Execute the following command to create an ingress with specified annotations.
cat <<EOF | kubectl create -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
# type of authentication
nginx.ingress.kubernetes.io/auth-type: basic
# name of the secret that contains the user/password definitions
nginx.ingress.kubernetes.io/auth-secret: basic-auth
# message to display with an appropriate context why the authentication is required
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
name: kibana-ingress
spec:
ingressClassName: nginx
rules:
- host: kibana.devtron.info
http:
paths:
- backend:
service:
name: kibana
port:
name: web
path: /
pathType: Prefix
Congratulations, we have successfully setup the basic auth for the Kibana dashboard using, which can be accessed at kibana.devtron.info
.
How to Configure NGINX Basic Authentication Using Devtron Dashboard (Step-by-Step)
In the previous method, we used CLI for all our operations and deployed a Kibana dashboard. In this approach, we will use Devtron and perform all the operations from the intuitive user interface provided by Devtron for all Kubernetes operations.
Step 1: Deploy Kibana Dashboard using the HELM dashboard
Deploy the same Kibana dashboard using the devtron helm dashboard. Navigate to Chart-store, search for devtron-generic-helm
, and click on configure & deploy
and provide the entire YAML as shown below in the image. To learn how to deploy any helm chart using the helm dashboard, look at this blog.
After giving the manifest click on Deploy chart
button at the bottom right and it will take you to App Details
the tab where you can check out all the details of the deployed chart, k8s workloads deployed along with it, services, manifests, logs of pods, etc as you can see in the image below.
Step 2: Create credentials
Now we will create credentials for basic authentication with the help of htpasswd and that too using the Devtron dashboard. Recently Devtron has launched a feature called Cluster Terminal Access wherein you can access your k8s cluster and fire all your kubectl commands from the dashboard itself.
For this, we have to install the htpasswd
utility. Follow the below steps to install the htpasswd or any other tool.
2.1: Update the package with - apt update
2.2: Install the utility with the command - apt install apache2-utils
Now, Execute the following command: htpasswd -c auth admin
It's important the file generated is named auth (actually - that the secret has key data.auth), otherwise the ingress-controller returns a 503.
Now let’s create a generic secret from the auth file that contains the credentials.
kubectl create secret generic basic-auth —from-file=auth
Step 3: Create Ingress with Authentication
Create an ingress and add basic authentication annotations in ingress YAML.
We have already deployed the ingress controller with a class name nginx
so let’s provide these annotations and click on Deploy Chart. Here as well we are using the same devtron-generic-helm
chart for our custom ingress.yaml
that we used in the first approach.
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
Once you deploy the ingress object is healthy, we are ready to access the dashboard and we are done with authentication.
Step-4: Map Ingress host to public IP
Now we map the ingress host kibana.devtron.info
with the public IP address of the Nginx ingress controller in your DNS management. Now if you try to access the host, it will ask for a username and password as you can see in the below image
Congratulations! We are done with the basic auth setup for our Kibana dashboard. Similarly, you can set up basic auth for almost any dashboard that doesn’t come with a default authentication mechanism.
If you liked the blog, feel free to share your views, and do join the Devtron discord community to get the latest updates on Devtron.
Commonly asked questions
What is NGINX authentication in Kubernetes?
It refers to enabling access control using basic auth via annotations in the NGINX Ingress Controller, typically using a secret containing an htpasswd-generated file.
Can I create Ingress authentication without the CLI?
Yes. Devtron allows you to configure secrets and Ingress annotations via its UI, including executing shell commands with Terminal Access.
Is Devtron an Ingress controller?
No. Devtron integrates with popular Ingress controllers like NGINX, helping you manage configurations, annotations, and workloads through a dashboard.
Can I apply the same method to dashboards other than Kibana?
Absolutely. This method applies to any internal tool (like Jaeger, Prometheus, etc.) that doesn't ship with native auth.
