If you install Longhorn on a Kubernetes cluster with kubectl or Helm, you will need to create an Ingress controller to allow external traffic to reach the Longhorn UI.

Authentication is not enabled by default for kubectl and Helm installations. In these steps, you’ll learn how to create an Ingress controller with basic authentication.

  1. Create a basic auth file auth. It’s important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.

    1. $ USER=<USERNAME_HERE>; PASSWORD=<PASSWORD_HERE>; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth
  2. Create a secret:

    1. $ kubectl -n longhorn-system create secret generic basic-auth --from-file=auth
  3. Create an NGINX Ingress controller manifest longhorn-ingress.yml :

    1. apiVersion: networking.k8s.io/v1beta1
    2. kind: Ingress
    3. metadata:
    4. name: longhorn-ingress
    5. namespace: longhorn-system
    6. annotations:
    7. # type of authentication
    8. nginx.ingress.kubernetes.io/auth-type: basic
    9. # prevent the controller from redirecting (308) to HTTPS
    10. nginx.ingress.kubernetes.io/ssl-redirect: 'false'
    11. # name of the secret that contains the user/password definitions
    12. nginx.ingress.kubernetes.io/auth-secret: basic-auth
    13. # message to display with an appropriate context why the authentication is required
    14. nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
    15. spec:
    16. rules:
    17. - http:
    18. paths:
    19. - path: /
    20. backend:
    21. serviceName: longhorn-frontend
    22. servicePort: 80
  4. Create the ingress controller:

    1. $ kubectl -n longhorn-system apply -f longhorn-ingress.yml

e.g.:

  1. $ USER=foo; PASSWORD=bar; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth
  2. $ cat auth
  3. foo:$apr1$FnyKCYKb$6IP2C45fZxMcoLwkOwf7k0
  4. $ kubectl -n longhorn-system create secret generic basic-auth --from-file=auth
  5. secret/basic-auth created
  6. $ kubectl -n longhorn-system get secret basic-auth -o yaml
  7. apiVersion: v1
  8. data:
  9. auth: Zm9vOiRhcHIxJEZueUtDWUtiJDZJUDJDNDVmWnhNY29Md2tPd2Y3azAK
  10. kind: Secret
  11. metadata:
  12. creationTimestamp: "2020-05-29T10:10:16Z"
  13. name: basic-auth
  14. namespace: longhorn-system
  15. resourceVersion: "2168509"
  16. selfLink: /api/v1/namespaces/longhorn-system/secrets/basic-auth
  17. uid: 9f66233f-b12f-4204-9c9d-5bcaca794bb7
  18. type: Opaque
  19. $ echo "
  20. apiVersion: networking.k8s.io/v1beta1
  21. kind: Ingress
  22. metadata:
  23. name: longhorn-ingress
  24. namespace: longhorn-system
  25. annotations:
  26. # type of authentication
  27. nginx.ingress.kubernetes.io/auth-type: basic
  28. # prevent the controller from redirecting (308) to HTTPS
  29. nginx.ingress.kubernetes.io/ssl-redirect: 'false'
  30. # name of the secret that contains the user/password definitions
  31. nginx.ingress.kubernetes.io/auth-secret: basic-auth
  32. # message to display with an appropriate context why the authentication is required
  33. nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
  34. spec:
  35. rules:
  36. - http:
  37. paths:
  38. - path: /
  39. backend:
  40. serviceName: longhorn-frontend
  41. servicePort: 80
  42. " | kubectl -n longhorn-system create -f -
  43. ingress.networking.k8s.io/longhorn-ingress created
  44. $ kubectl -n longhorn-system get ingress
  45. NAME HOSTS ADDRESS PORTS AGE
  46. longhorn-ingress * 45.79.165.114,66.228.45.37,97.107.142.125 80 2m7s
  47. $ curl -v http://97.107.142.125/
  48. * Trying 97.107.142.125...
  49. * TCP_NODELAY set
  50. * Connected to 97.107.142.125 (97.107.142.125) port 80 (#0)
  51. > GET / HTTP/1.1
  52. > Host: 97.107.142.125
  53. > User-Agent: curl/7.64.1
  54. > Accept: */*
  55. >
  56. < HTTP/1.1 401 Unauthorized
  57. < Server: openresty/1.15.8.1
  58. < Date: Fri, 29 May 2020 11:47:33 GMT
  59. < Content-Type: text/html
  60. < Content-Length: 185
  61. < Connection: keep-alive
  62. < WWW-Authenticate: Basic realm="Authentication Required"
  63. <
  64. <html>
  65. <head><title>401 Authorization Required</title></head>
  66. <body>
  67. <center><h1>401 Authorization Required</h1></center>
  68. <hr><center>openresty/1.15.8.1</center>
  69. </body>
  70. </html>
  71. * Connection #0 to host 97.107.142.125 left intact
  72. * Closing connection 0
  73. $ curl -v http://97.107.142.125/ -u foo:bar
  74. * Trying 97.107.142.125...
  75. * TCP_NODELAY set
  76. * Connected to 97.107.142.125 (97.107.142.125) port 80 (#0)
  77. * Server auth using Basic with user 'foo'
  78. > GET / HTTP/1.1
  79. > Host: 97.107.142.125
  80. > Authorization: Basic Zm9vOmJhcg==
  81. > User-Agent: curl/7.64.1
  82. > Accept: */*
  83. >
  84. < HTTP/1.1 200 OK
  85. < Date: Fri, 29 May 2020 11:51:27 GMT
  86. < Content-Type: text/html
  87. < Content-Length: 1118
  88. < Last-Modified: Thu, 28 May 2020 00:39:41 GMT
  89. < ETag: "5ecf084d-3fd"
  90. < Cache-Control: max-age=0
  91. <
  92. <!DOCTYPE html>
  93. <html lang="en">
  94. ......

Additional Steps for AWS EKS Kubernetes Clusters

You will need to create an ELB (Elastic Load Balancer) to expose the NGINX Ingress controller to the Internet. Additional costs may apply.

  1. Create pre-requisite resources according to the NGINX Ingress Controller documentation.

  2. Create an ELB by following these steps.

References

https://kubernetes.github.io/ingress-nginx/