I'm trying to get a GKE ingress to require basic auth like this example from github.
The ingress works fine. It routes to the service. But the authentication isn't working. Allows all traffic right through. Has GKE not rolled this feature out yet? Something obviously wrong in my specs?
Here's the ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: super-ingress
annotations:
ingress.kubernetes.io/auth-type: basic
ingress.kubernetes.io/auth-secret: basic-auth
ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
rules:
- host: zzz.host.com
http:
paths:
- backend:
serviceName: super-service
servicePort: 9000
path: /*
And the basic-auth
secret:
$ kubectl get secret/basic-auth -o yaml
apiVersion: v1
data:
auth: XXXXXXXXXXXXXXXXXXX
kind: Secret
metadata:
creationTimestamp: 2016-10-03T21:21:52Z
name: basic-auth
namespace: default
resourceVersion: "XXXXX"
selfLink: /api/v1/namespaces/default/secrets/basic-auth
uid: XXXXXXXXXXX
type: Opaque
Any insights are greatly appreciated!
The example you linked to is for nginx ingress controller. GKE uses GLBC, which doesn't support auth.
You can deploy an nginx ingress controller in your gke cluster. Note that you need to annotate your ingress to avoid the GLBC claiming the ingress. Then you can expose the nginx controller directly, or create a glbc ingress to redirect traffic to the nginx ingress (see this snippet written by bprashanh).
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/auth-realm: Authentication Required - foo
ingress.kubernetes.io/auth-secret: basic-auth
ingress.kubernetes.io/auth-type: basic
ingress.kubernetes.io/backends: '{"k8s-be-30972--96da70c6fd3c641b":"HEALTHY","k8s-be-31046--96da70c6fd3c641b":"HEALTHY","k8s-be-31655--96da70c6fd3c641b":"HEALTHY"}'
ingress.kubernetes.io/forwarding-rule: k8s-fw-default-fanout-ingress--96da70c6fd3c641b
ingress.kubernetes.io/target-proxy: k8s-tp-default-fanout-ingress--96da70c6fd3c641b
ingress.kubernetes.io/url-map: k8s-um-default-fanout-ingress--96da70c6fd3c641b
creationTimestamp: 2019-05-30T21:28:34Z
generation: 1
name: fanout-ingress
namespace: default
resourceVersion: "31579511"
selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/fanout-ingress
uid: e1477897-8321-11e9-a171-42010a800166
spec:
rules:
- http:
paths:
- backend:
serviceName: web
servicePort: 8080
path: /*
- backend:
serviceName: web2
servicePort: 8080
path: /v2/*
status:
loadBalancer:
ingress:
- ip: *****```