无法使用 Google Kubernetes Engien Nginx 入口控制器获得 HTTP 基本身份验证

Question

According to the Kubernetes docs, the Nginx Ingress Controller supports adding basic authentication. The required Ingress annotations that I'm setting are:

nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: namespace/secret
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"

My ingress controller image is: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11

I cannot find any logs from the ingress controller that would indicate errors, but basic auth is not present. In case it matters, I am using cert-manager to provision Let's Encrypt TLS certificates, which is working nicely.

Answer 1

You are using wrong controller/annotations. These annotations are for https://github.com/kubernetes/ingress-nginx which has this official image

You have examples of how to deploy the controller here

If you want to use gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.11, the annotations are:

ingress.kubernetes.io/auth-type: basic
ingress.kubernetes.io/auth-secret: basic-auth
ingress.kubernetes.io/auth-realm: "Authentication Required"

Answer 2

You can find full articles here or here .

To configure basic authentication on Nginx Ingress there are two things that should be in place:
(I assume you already have ingress controller running on your cluster)

1. A Secret with a name and content of username/passwords in base64 encoded line should exist: (In this example, the name “basic-auth” is used as a name of the Secret but you can choose any valid name you want.) Username: foo , password: bar

    $ htpasswd -c auth foo New password: bar Re-type new password: bar Adding password for user foo $ kubectl create secret generic basic-auth --from-file=auth secret "basic-auth" created $ kubectl get secret basic-auth -o yaml apiVersion: v1 data: auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK kind: Secret metadata: name: basic-auth namespace: default type: Opaque

2. An Ingress object should exist in the same namespace with the Secret:
   (here we use a default namespace for Ingress and Secret )

    echo " apiVersion: extensions/v1beta1 kind: Ingress metadata: name: ingress-with-auth annotations: # type of authentication nginx.ingress.kubernetes.io/auth-type: basic # name of the secret that contains the user/password definitions nginx.ingress.kubernetes.io/auth-secret: basic-auth # message to display with an appropriate context why the authentication is required nginx.ingress.kubernetes.io/auth-realm: \\"Authentication Required - foo\\" spec: rules: - host: foo.bar.com http: paths: - path: / backend: serviceName: <your_backend_service_name> servicePort: <your_backend_service_port> " | kubectl create -f -

To verify your configuration check replies using GET request with or without authentication:
( 30xxx - get port number from output of the command kubectl get svc --all-namespaces | grep ingress-nginx | grep NodePort )

$ curl -v http://cluster.node.ip.address:30xxx/ -H 'Host: foo.bar.com'
...
< HTTP/1.1 401 Unauthorized
...

$ curl -v http://cluster.node.ip.address:30xxx/ -H 'Host: foo.bar.com' -u 'foo:bar'
...
< HTTP/1.1 200 OK
...

On the next step, you can add SSL or TLS configuration of your choice to Ingress object specification.

Update : The above example still works fine on the current nginx ingress controller v0.44.0

I recon cert-manager configuration shouldn't affect the way ingress controller manages plain HTTP traffic if SSL/HTTPS isn't enforced.

htpasswd could be installed as a part of Ubuntu/Debian package apache2-utils or httpd-tools for CentOS:

apt install apache2-utils
yum install httpd-tools

For ngninxinc version of the ingress-controller consider reading the issue #200