AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
Voyager
github-icon twitterx-icon
TRY NOW FREE
  • Welcome
  • Concepts
  • Setup
  • Ingress
    Cert Manager
  • Voyager Operator
    Voyager CLI

New to Voyager? Please start here.

Basic Authentication

This example demonstrates how to configure Basic Authentication on Voyager Ingress controller.

Using Basic Authentication

Voyager Ingress read user and password from files stored on secrets, one user and password per line. Secret name, realm and type are configured with annotations in the ingress resource:

  • ingress.appscode.com/auth-type: the only supported type is basic
  • ingress.appscode.com/auth-realm: an optional string with authentication realm
  • ingress.appscode.com/auth-secret: name of the secret

Each line of the auth file should have:

  • user and insecure password separated with a pair of colons: <username>::<plain-text-password>; or
  • user and an encrypted password separated with colons: <username>:<encrypted-passwd>

If passwords are provided in plain text, Voyager operator will encrypt them before rendering HAProxy configuration. HAProxy evaluates encrypted passwords with crypt function. Use mkpasswd or makepasswd to create it. mkpasswd can be found on Alpine Linux container.

Configure

Create a secret to our users:

  • john and password admin using insecure plain text password
  • jane and password guest using encrypted password
$ mkpasswd -m des ## a short, des encryption, syntax from Busybox on Alpine Linux
Password: (type 'guest' and press Enter)
E5BrlrQ5IXYK2

$ cat >auth <<EOF
john::admin
jane:E5BrlrQ5IXYK2
EOF

$ kubectl create secret generic mypasswd --from-file auth
$ rm -fv auth

# run test servers
$ kubectl run nginx --image=nginx
$ kubectl expose deployment nginx --name=web --port=80 --target-port=80

Create an Ingress with Basic Auth annotations

apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
  annotations:
    ingress.appscode.com/type: NodePort
    ingress.appscode.com/rewrite-target: /
    ingress.appscode.com/auth-type: basic
    ingress.appscode.com/auth-realm: My Server
    ingress.appscode.com/auth-secret: mypasswd
  name: basic-auth-ingress
  namespace: default
spec:
  rules:
  - http:
      paths:
      - path: /web
        backend:
          service:
            name: web
            port:
              number: 80

Test without user and password:

$ curl -i ip:port
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"

<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>

Send a valid user:

$ curl -i -u 'john:admin' ip:port
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

Using jane:guest user/passwd should have the same output.

Using Basic Auth for backend service

Voyager Ingress can be configured to use Basic Auth per Backend service by applying the annotations to kubernetes service.

apiVersion: v1
kind: Service
metadata:
  name: test-svc
  namespace: default
  annotations:
    ingress.appscode.com/auth-type: basic
    ingress.appscode.com/auth-realm: My Server
    ingress.appscode.com/auth-secret: mypasswd
spec:
  ports:
  - name: http-1
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: deployment

Create an Ingress with Basic Auth only on path /auth

apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
  name: hello-basic-auth
  namespace: default
spec:
  rules:
  - http:
      paths:
      - path: /no-auth
        backend:
          service:
            name: test-server
            port:
              number: 80
  - http:
      paths:
      - path: /auth
        backend:
          service:
            name: test-svc
            port:
              number: 80

Test without user and password:

$ curl -i ip:port/auth
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"

<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>

Send a valid user:

$ curl -i -u 'john:admin' ip:port/auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

No auth enabled Backend

$ curl -i ip:port/no-auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

Using Basic Auth In Frontend

Basic Auth can also be configured per frontend in voyager ingress via FrontendRules.

apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
  name: hello-basic-auth
  namespace: default
spec:
  frontendRules:
  - port: 8080
    auth:
      basic:
        secretName: mypasswd
        realm: My Server
  rules:
  - http:
      port: 80
      paths:
      - path: /no-auth
        backend:
          service:
            name: test-server
            port:
              number: 80
  - http:
      port: 8080
      paths:
      - path: /auth
        backend:
          service:
            name: test-svc
            port:
              number: 80

Test without user and password:

$ curl -i ip:8080/auth
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"

<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>

Send a valid user:

$ curl -i -u 'john:admin' ip:8080/auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

No auth enabled Backend

$ curl -i ip:9090/no-auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8

Acknowledgement

What's on this Page

Search
Improve This Page