Documentation
ProductPricingDocsBlog

Enable Basic Authentication

Suggest Edits

Hydrolix offers the ability to use Basic Authentication for endpoints. To enable Basic Authentication, add basic_auth to the hydrolixcluster yaml configuration file, listing the services that should use Basic Auth. The following endpoints can use Basic Auth:

ServiceDescription
prometheusFor HTTP query of the /prometheus service
versionFor HTTP query on /version which displays the current deployed version
validatorFor HTTP query on /validator to test transform

📘

Config API

The configuration API uses its own authentication mechanism using Bearer tokens. For more information, see Login to Hydrolix.

For example, to use Basic Auth in the stream and version service endpoints, add the following configuration:

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
    .............
spec:
  .........
  basic_auth:   <----- ADD
  - stream-head <----- ADD 
  - version     <----- ADD
  ...........

By default, Hydrolix uses the username hydrolix, generates a random password, and stores it as base64 data in the Kubernetes general Secret. You can retrieve the generated password with the following command:

kubectl get secret general -o jsonpath='{.data.TRAEFIK_PASSWORD}' | base64 -d ; echo

To authenticate with the default hydrolix username, use your generated password and domain in the following command:

curl -u hydrolix:<PASSWORD> https://$hostname/version

Modify the Curated Secret

The operator pod aggregates all the values from the curated secret and merges them into the dynamically generated general secret which is then fetched by the appropriate services.

Modify the curated Kubernetes secret to update this password.

kubectl edit secrets curated

Update the variable TRAEFIK_PASSWORD with your (base64-encoded) password.

Per-Service Credentials

Each service can use a different password with Basic Auth. To use per-service credentials, add entries to the curated secret.

Per-service credentials use a different username for each endpoint with a distinct password. This follows the pattern hydrolix-$<SERVICE-NAME>.

The following example sets a password for the Traefik Stream Head service endpoint:

---
apiVersion: v1
kind: Secret
metadata:
  name: curated
  namespace: $HDX_KUBERNETES_NAMESPACE
stringData:
  TRAEFIK_STREAM_HEAD_PASSWORD: mousie-thou-art-no-thy-lane
type: Opaque

To authenticate with the Stream Head in this example, use the following:

  • username: hydrolix-stream-head
  • password: mousie-thou-art-no-thy-lane

Updated about 16 hours ago