Enable Basic Authorization
For endpoint security, Hydrolix offers the ability to use Basic Authorization for endpoints. To enable Basic Authentication, add basic_auth
to the hydrolixcluster yaml
configuration file, listing the services that should use Basic Auth. The following endpoints can use Basic Auth:
Service | Description |
---|---|
stream-head | For HTTP based ingest on /ingest/events |
prometheus | For HTTP query of the /prometheus service |
version | For HTTP query on /version which displays the current deployed version |
validator | For HTTP query on /validator to test transform |
Config API
The configuration API uses its own authorization mechanism using
Bearer tokens
. For more information, see Login to Hydrolix.
For example, to use Basic Auth in the stream and version service endpoints, add the following configuration:
apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
.............
spec:
.........
basic_auth: <----- ADD
- stream-head <----- ADD
- version <----- ADD
...........
By default, Hydrolix uses the username hydrolix
, generates a random password, and stores it as base64 data in the Kubernetes general secret
. You can retrieve the generated password with the following command:
kubectl get secret general -o jsonpath='{.data.TRAEFIK_PASSWORD}' | base64 -d ; echo
To authenticate with the default hydrolix
username, use your generated password and domain in the following command:
curl -u hydrolix:<PASSWORD> https://$hostname/version
Modify the Default Secret
You can modify the default password by updating the kubernetes secret:
kubectl edit secrets general
Modify the variable TRAEFIK_PASSWORD
with your (base64-encoded) password.
Per-Service Credentials
Each service can use a different password with Basic Auth. To use per-service credentials, add entries to the curated secret.
Per-service credentials use a different username for each endpoint with a distinct password. This follows the pattern hydrolix-$<SERVICE_NAME>
.
The following example sets a password for the Traefik Stream Head service endpoint:
---
apiVersion: v1
kind: Secret
metadata:
name: curated
namespace: $HDX_KUBERNETES_NAMESPACE
stringData:
TRAEFIK_STREAM_HEAD_PASSWORD: mousie-thou-art-no-thy-lane
type: Opaque
To authenticate with the Stream Head in this example, use the following:
- username:
hydrolix-stream-head
- password:
mousie-thou-art-no-thy-lane
Updated about 1 month ago