k8s nginx ingress - basic auth on folder
Posted 2020/04/22 00:55
Scenario
Say we have an application, like, say, a roughly made blog with a basic administration panel; we're wanting to deploy the blog so our readers can access our content but want to protect our admin panel, how can we do this easily? Thankfully, the NGINX Ingress Controller supports Basic Authentication - so we have a solution*.
*Note: there are a multitude of security issues with Basic Authentication outside the scope of this blog post to cover but easily found with Google, use Basic Auth with care, over TLS, and for the appropriate situations.How do we do it?
The solution is simple, we just have to create two ingress defs for the same host but one with our basic auth annotations and the other without it.
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
namespace: example
name: blog
spec:
rules:
- host: blog.example.app
http:
paths:
- backend:
serviceName: blog
servicePort: 80
path: /
tls:
- hosts:
- blog.example.app
secretName: blog-ingress-tls
---
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
namespace: example
name: blog-admin
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: blog-admin-creds
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
spec:
rules:
- host: blog.example.app
http:
paths:
- backend:
serviceName: blog
servicePort: 80
path: /admin
tls:
- hosts:
- blog.example.app
secretName: blog-ingress-tls
If you're unfamiliar with NGINX Ingress Basic Auth at all, see the documentation here
Afterthoughts
I really need to improve the markdown based editor for this blog.