If you install Longhorn on a Kubernetes cluster with kubectl or Helm, you will need to create an Ingress controller to allow external traffic to reach the Longhorn UI.

Authentication is not enabled by default for kubectl and Helm installations. In these steps, you’ll learn how to create an Ingress controller with basic authentication.

  1. Create a basic auth file auth. It’s important the file generated is named auth (actually - that the secret has a key data.auth), otherwise the ingress-controller returns a 503.

    1. $ USER=<USERNAME_HERE>; PASSWORD=<PASSWORD_HERE>; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth

  2. Create a secret:

    1. $ kubectl -n longhorn-system create secret generic basic-auth --from-file=auth

  3. Create an NGINX Ingress controller manifest longhorn-ingress.yml :

    1. apiVersion: networking.k8s.io/v1beta1
    2. kind: Ingress
    3. metadata:
    4.   name: longhorn-ingress
    5.   namespace: longhorn-system
    6.   annotations:
    7.     # type of authentication
    8.     nginx.ingress.kubernetes.io/auth-type: basic
    9.     # prevent the controller from redirecting (308) to HTTPS
    10.     nginx.ingress.kubernetes.io/ssl-redirect: 'false'
    11.     # name of the secret that contains the user/password definitions
    12.     nginx.ingress.kubernetes.io/auth-secret: basic-auth
    13.     # message to display with an appropriate context why the authentication is required
    14.     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
    15. spec:
    16.   rules:
    17.   - http:
    18.       paths:
    19.       - path: /
    20.         backend:
    21.           serviceName: longhorn-frontend
    22.           servicePort: 80

  4. Create the ingress controller:

    1. $ kubectl -n longhorn-system apply -f longhorn-ingress.yml

e.g.:

  1. $ USER=foo; PASSWORD=bar; echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" >> auth
  2. $ cat auth
  3. foo:$apr1$FnyKCYKb$6IP2C45fZxMcoLwkOwf7k0
  5. $ kubectl -n longhorn-system create secret generic basic-auth --from-file=auth
  6. secret/basic-auth created
  7. $ kubectl -n longhorn-system get secret basic-auth -o yaml
  8. apiVersion: v1
  9. data:
  10.   auth: Zm9vOiRhcHIxJEZueUtDWUtiJDZJUDJDNDVmWnhNY29Md2tPd2Y3azAK
  11. kind: Secret
  12. metadata:
  13.   creationTimestamp: "2020-05-29T10:10:16Z"
  14.   name: basic-auth
  15.   namespace: longhorn-system
  16.   resourceVersion: "2168509"
  17.   selfLink: /api/v1/namespaces/longhorn-system/secrets/basic-auth
  18.   uid: 9f66233f-b12f-4204-9c9d-5bcaca794bb7
  19. type: Opaque
  21. $ echo "
  22. apiVersion: networking.k8s.io/v1beta1
  23. kind: Ingress
  24. metadata:
  25.   name: longhorn-ingress
  26.   namespace: longhorn-system
  27.   annotations:
  28.     # type of authentication
  29.     nginx.ingress.kubernetes.io/auth-type: basic
  30.     # prevent the controller from redirecting (308) to HTTPS
  31.     nginx.ingress.kubernetes.io/ssl-redirect: 'false'
  32.     # name of the secret that contains the user/password definitions
  33.     nginx.ingress.kubernetes.io/auth-secret: basic-auth
  34.     # message to display with an appropriate context why the authentication is required
  35.     nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
  36. spec:
  37.   rules:
  38.   - http:
  39.       paths:
  40.       - path: /
  41.         backend:
  42.           serviceName: longhorn-frontend
  43.           servicePort: 80
  44. " | kubectl -n longhorn-system create -f -
  45. ingress.networking.k8s.io/longhorn-ingress created
  47. $ kubectl -n longhorn-system get ingress
  48. NAME               HOSTS   ADDRESS                                     PORTS   AGE
  49. longhorn-ingress   *       45.79.165.114,66.228.45.37,97.107.142.125   80      2m7s
  51. $ curl -v http://97.107.142.125/
  52. *   Trying 97.107.142.125...
  53. * TCP_NODELAY set
  54. * Connected to 97.107.142.125 (97.107.142.125) port 80 (#0)
  55. > GET / HTTP/1.1
  56. > Host: 97.107.142.125
  57. > User-Agent: curl/7.64.1
  58. > Accept: */*
  59. >
  60. < HTTP/1.1 401 Unauthorized
  61. < Server: openresty/1.15.8.1
  62. < Date: Fri, 29 May 2020 11:47:33 GMT
  63. < Content-Type: text/html
  64. < Content-Length: 185
  65. < Connection: keep-alive
  66. < WWW-Authenticate: Basic realm="Authentication Required"
  67. <
  68. <html>
  69. <head><title>401 Authorization Required</title></head>
  70. <body>
  71. <center><h1>401 Authorization Required</h1></center>
  72. <hr><center>openresty/1.15.8.1</center>
  73. </body>
  74. </html>
  75. * Connection #0 to host 97.107.142.125 left intact
  76. * Closing connection 0
  78. $ curl -v http://97.107.142.125/ -u foo:bar
  79. *   Trying 97.107.142.125...
  80. * TCP_NODELAY set
  81. * Connected to 97.107.142.125 (97.107.142.125) port 80 (#0)
  82. * Server auth using Basic with user 'foo'
  83. > GET / HTTP/1.1
  84. > Host: 97.107.142.125
  85. > Authorization: Basic Zm9vOmJhcg==
  86. > User-Agent: curl/7.64.1
  87. > Accept: */*
  88. >
  89. < HTTP/1.1 200 OK
  90. < Date: Fri, 29 May 2020 11:51:27 GMT
  91. < Content-Type: text/html
  92. < Content-Length: 1118
  93. < Last-Modified: Thu, 28 May 2020 00:39:41 GMT
  94. < ETag: "5ecf084d-3fd"
  95. < Cache-Control: max-age=0
  96. <
  97. <!DOCTYPE html>
  98. <html lang="en">
  99. ......

Additional Steps for AWS EKS Kubernetes Clusters

You will need to create an ELB (Elastic Load Balancer) to expose the NGINX Ingress controller to the Internet. Additional costs may apply.

  1. Create pre-requisite resources according to the NGINX Ingress Controller documentation.

  2. Create an ELB by following these steps.

References

https://kubernetes.github.io/ingress-nginx/