SSL certificates in kubernetes are stored as secrets.
To do this, create a TLS secret with the following command.
kubectl create secret tls example-co-zm-ssl --key private.key --cert cert.crt -n longhorn-system
The above command creates a TLS secret in the longhorn-system namespace.
We need to create another secret to store the basic authentication users, this can be done as:
htpasswd -nb arthur P@55w0rd | openssl base64
The add the output in the
secret.yaml file, to look like:
apiVersion: v1 kind: Secret metadata: name: basic-auth-secret namespace: longhorn-system data: users: | YXJ0aHVyOiRhcHIxJER1dXdPUmtMJGlsOFJiZnpiNjgzdGpPU0dLSGxNczAKCg==
With all the certififcates out of the way, we can now create the two middlewares, one for redirecting to https if traffic originates from http
and the other to request a basic authentication prompt for users to provide username and password to access the resource on the url.
Create a basic authentication middleware with the following contents:
apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: basic-auth namespace: longhorn-system spec: basicAuth: secret: basic-auth-secret
Note: This middleware contains the basic authentication secret that stores the username password combination for allowed users.
Creata middleware to route all HTTP to HTTPS with below content.
apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: enforce-https namespace: longhorn-system spec: redirectScheme: scheme: https permanent: true
Note: The above middleware contains the scheme to redirect to,which is https and the permanent attribute set to true to make this a permanent 301 redirect.
With all that done, you can create an ingress that contains the following contents.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: longhorn-ingress namespace: longhorn-system annotations: traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-enforce-https@kubernetescrd,longhorn-system-basic-auth@kubernetescrd spec: tls: - secretName: example-co-zm-ssl rules: - host: storage.example.co.zm http: paths: - path: / pathType: Prefix backend: service: name: longhorn-frontend port: number: 80
The above ingress contains annotations that add two middlewares to this ingress.
NOTE: The middleware has a syntax that requires that the middleware semantic follow a pattern of:
< namespace >-< middleware >@kubernetescrd
Which for the basic-auth middleware which is in the longhorn-system namespace translates to
The middlewares can be chained together by comma separating them.
tls part contains a list of TLS secrets, in our case, we only have one.
rules dictate how route matching is processed, what service to connect to and the port on the service being connected to.
To apply these configurations, use
kubectl apply -f
kubectl apply -f secret.yaml -f basic-auth-middleware.yaml -f https-middleware.yaml -f longhorn-ingress.yaml
This is with the assumption that your kubernetes cluster has traefik as the ingress controller and longhorn as the block storage controller already setup.
Otherwise,you might need tomodify this toi suit the ingress controller being used and the service being connected to.