New to Voyager? Please start here.
Basic Authentication
This example demonstrates how to configure Basic Authentication on Voyager Ingress controller.
Using Basic Authentication
Voyager Ingress read user and password from files stored on secrets, one user and password per line. Secret name, realm and type are configured with annotations in the ingress resource:
ingress.appscode.com/auth-type
: the only supported type isbasic
ingress.appscode.com/auth-realm
: an optional string with authentication realmingress.appscode.com/auth-secret
: name of the secret
Each line of the auth
file should have:
- user and insecure password separated with a pair of colons:
<username>::<plain-text-password>
; or - user and an encrypted password separated with colons:
<username>:<encrypted-passwd>
If passwords are provided in plain text, Voyager operator will encrypt them before rendering HAProxy configuration.
HAProxy evaluates encrypted passwords with crypt function. Use mkpasswd
or
makepasswd
to create it. mkpasswd
can be found on Alpine Linux container.
Configure
Create a secret to our users:
john
and passwordadmin
using insecure plain text passwordjane
and passwordguest
using encrypted password
$ mkpasswd -m des ## a short, des encryption, syntax from Busybox on Alpine Linux
Password: (type 'guest' and press Enter)
E5BrlrQ5IXYK2
$ cat >auth <<EOF
john::admin
jane:E5BrlrQ5IXYK2
EOF
$ kubectl create secret generic mypasswd --from-file auth
$ rm -fv auth
# run test servers
$ kubectl run nginx --image=nginx
$ kubectl expose deployment nginx --name=web --port=80 --target-port=80
Create an Ingress with Basic Auth annotations
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
annotations:
ingress.appscode.com/type: NodePort
ingress.appscode.com/rewrite-target: /
ingress.appscode.com/auth-type: basic
ingress.appscode.com/auth-realm: My Server
ingress.appscode.com/auth-secret: mypasswd
name: basic-auth-ingress
namespace: default
spec:
rules:
- http:
paths:
- path: /web
backend:
service:
name: web
port:
number: 80
Test without user and password:
$ curl -i ip:port
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
Send a valid user:
$ curl -i -u 'john:admin' ip:port
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Using jane:guest
user/passwd should have the same output.
Using Basic Auth for backend service
Voyager Ingress can be configured to use Basic Auth per Backend service by applying the annotations to kubernetes service.
apiVersion: v1
kind: Service
metadata:
name: test-svc
namespace: default
annotations:
ingress.appscode.com/auth-type: basic
ingress.appscode.com/auth-realm: My Server
ingress.appscode.com/auth-secret: mypasswd
spec:
ports:
- name: http-1
port: 80
protocol: TCP
targetPort: 8080
selector:
app: deployment
Create an Ingress with Basic Auth only on path /auth
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: hello-basic-auth
namespace: default
spec:
rules:
- http:
paths:
- path: /no-auth
backend:
service:
name: test-server
port:
number: 80
- http:
paths:
- path: /auth
backend:
service:
name: test-svc
port:
number: 80
Test without user and password:
$ curl -i ip:port/auth
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
Send a valid user:
$ curl -i -u 'john:admin' ip:port/auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
No auth enabled Backend
$ curl -i ip:port/no-auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Using Basic Auth In Frontend
Basic Auth can also be configured per frontend in voyager ingress via FrontendRules.
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: hello-basic-auth
namespace: default
spec:
frontendRules:
- port: 8080
auth:
basic:
secretName: mypasswd
realm: My Server
rules:
- http:
port: 80
paths:
- path: /no-auth
backend:
service:
name: test-server
port:
number: 80
- http:
port: 8080
paths:
- path: /auth
backend:
service:
name: test-svc
port:
number: 80
Test without user and password:
$ curl -i ip:8080/auth
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
Send a valid user:
$ curl -i -u 'john:admin' ip:8080/auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
No auth enabled Backend
$ curl -i ip:9090/no-auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Acknowledgement
- This document has been adapted from kubernetes/ingress project.