You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.
This example demonstrates how to configure Basic Authentication on Voyager Ingress controller.
Voyager Ingress read user and password from files stored on secrets, one user and password per line. Secret name, realm and type are configured with annotations in the ingress resource:
ingress.appscode.com/auth-type
: the only supported type is basic
ingress.appscode.com/auth-realm
: an optional string with authentication realmingress.appscode.com/auth-secret
: name of the secretEach line of the auth
file should have:
<username>::<plain-text-password>
; or<username>:<encrypted-passwd>
If passwords are provided in plain text, Voyager operator will encrypt them before rendering HAProxy configuration.
HAProxy evaluates encrypted passwords with crypt function. Use mkpasswd
or
makepasswd
to create it. mkpasswd
can be found on Alpine Linux container.
Create a secret to our users:
john
and password admin
using insecure plain text passwordjane
and password guest
using encrypted password$ mkpasswd -m des ## a short, des encryption, syntax from Busybox on Alpine Linux
Password: (type 'guest' and press Enter)
E5BrlrQ5IXYK2
$ cat >auth <<EOF
john::admin
jane:E5BrlrQ5IXYK2
EOF
$ kubectl create secret generic mypasswd --from-file auth
$ rm -fv auth
Create an Ingress with Basic Auth annotations
apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
annotations:
ingress.appscode.com/auth-type: basic
ingress.appscode.com/auth-realm: My Server
ingress.appscode.com/auth-secret: mypasswd
name: hello-basic-auth
namespace: default
spec:
rules:
- http:
paths:
- path: /testpath
backend:
serviceName: test-service
servicePort: 80
Test without user and password:
$ curl -i ip:port
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
Send a valid user:
$ curl -i -u 'john:admin' ip:port
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Using jane:guest
user/passwd should have the same output.
Voyager Ingress can be configured to use Basic Auth per Backend service by applying the annotations to kubernetes service.
apiVersion: v1
kind: Service
metadata:
name: test-svc
namespace: default
annotations:
ingress.appscode.com/auth-type: basic
ingress.appscode.com/auth-realm: My Server
ingress.appscode.com/auth-secret: mypasswd
spec:
ports:
- name: http-1
port: 80
protocol: TCP
targetPort: 8080
selector:
app: deployment
Create an Ingress with Basic Auth only on path /auth
apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
name: hello-basic-auth
namespace: default
spec:
rules:
- http:
paths:
- path: /no-auth
backend:
serviceName: test-server
servicePort: 80
- http:
paths:
- path: /auth
backend:
serviceName: test-svc
servicePort: 80
Test without user and password:
$ curl -i ip:port/auth
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
Send a valid user:
$ curl -i -u 'john:admin' ip:port/auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
No auth enabled Backend
$ curl -i ip:port/no-auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Basic Auth can also be configured per frontend in voyager ingress via FrontendRules.
apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
name: hello-basic-auth
namespace: default
spec:
frontendRules:
- port: '8080'
auth:
basic:
secretName: mypasswd
realm: My Server
rules:
- http:
port: '80'
paths:
- path: /no-auth
backend:
serviceName: test-server
servicePort: 80
- http:
port: '8080'
paths:
- path: /auth
backend:
serviceName: test-svc
servicePort: 80
Test without user and password:
$ curl -i ip:8080/auth
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
Authentication problem. Ignoring this.
WWW-Authenticate: Basic realm="My Server"
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
Send a valid user:
$ curl -i -u 'john:admin' ip:8080/auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8
No auth enabled Backend
$ curl -i ip:9090/no-auth
HTTP/1.1 200 OK
Date: Fri, 08 Sep 2017 09:31:43 GMT
Content-Length: 0
Content-Type: text/plain; charset=utf-8