Skip to content

Enabling HTTP Basic Authentication in Kubernetes

Quine Enterprise's container image contains two programs, Quine Enterprise, and NGINX. If NGINX is enabled, it is configured to be the first stop for traffic on its way to Quine Enterprise, and as that first stop is able to enforce secure authentication before allowing traffic through.

Prerequisites

Installing Quine Enterprise with Basic Auth using Helm

Installing Quine Enterprise with basic authentication enabled can be done in three steps when using the thatDot Helm charts:

1) Generate a salted password hash: 

# Create a 12‑byte random salt and generate a SHA‑256-crypt hash
salt=$(openssl rand -base64 12)
openssl passwd -5 -salt $salt

Note

Why 12 bytes?
A 12‑byte random salt expands to 16 ASCII characters when base64‑encoded

2) Create a Helm values file, enable basic auth, and add your salted password hash. The following is a small values.yaml that will start a 1 member cluster, with an empty persistor, configured with basic auth. Just fill in your trial <EMAIL>, <API_KEY>, a <USERNAME>, and the <SALTED_HASH> generated in step 1: 

hostCount: 1
trial:
  email: <EMAIL>
  apiKey: <API_KEY>
cassandra:
  enabled: false
basicAuth:
  enabled: true
  htpasswd: |
    <USERNAME>:<SALTED_HASH>

Note

htpasswd must contain one or more lines in the exact format accepted by the NGINX auth_basic_user_file directive: 

<username1>:<hashed‑password1>
<username2>:<hashed‑password2>
...
See the official docs

3) Install Quine Enterprise using the thatDot Helm charts and the new values file: 

helm repo add thatdot https://helm.thatdot.com
helm repo update
helm \
    install quine-enterprise \
    thatdot/quine-enterprise \
    -f values.yaml

Info

Requires thatdot/quine-enterprise Helm chart version 0.4.6 or later.

How the Helm chart wires it up

  • Secret - A Kubernetes Secret is created and mounted into the Quine Enterprise container containing the htpasswd information provided in the Helm values.yaml. NGINX uses this as configuration for Basic Authentication.

Example Generated Kubernetes Secret 

apiVersion: v1
kind: Secret
metadata:
  name: quine-enterprise-credentials
type: Opaque
data:
  htpasswd: YWRtaW46JDUkdm95ckZxNHJSM3BINkRPTCRsTEIzSHdTcHpvbUVDZDNxbUpyQVQxMGdjcXd1dzJ2RzdSNjcyZmphUFQzCg==

  • Environment Variables - Helm will also set two environment variables to "true" in Quine Enterprise: USE_NGINX and USE_BASIC_AUTH. Setting these env vars will configure the container image to use NGINX as a reverse proxy, with basic authentication enabled.
env:
- name: USE_NGINX
  value: "true"
- name: USE_BASIC_AUTH
  value: "true"
  • Probes - Helm also will adjust the readiness probes and liveness probes to ensure Kubernetes is still able to probe for readiness and liveness of Quine Enterprise.
livenessProbe:
  exec:
    command:
    - curl
    - '--silent'
    - '--fail'
    - http://localhost:8081/api/v1/admin/liveness
  initialDelaySeconds: 5
readinessProbe:
  exec:
    command:
    - curl
    - '--silent'
    - '--fail'
    - http://localhost:8081/api/v1/admin/liveness
  initialDelaySeconds: 5