Enable Basic Authentication

📘

Basic Authentication is being replaced...

...by Unified Authentication, which uses the same user accounts and passwords set up in the API. Basic Authentication is incompatible with Unified Authentication, which was on by default starting with the 4.6 release.

For endpoint security, Hydrolix offers the ability to use Basic Authentication for endpoints. To enable Basic Authentication, add basic_auth to the hydrolixcluster yaml configuration file, listing the services that should use Basic Auth. The following endpoints can use Basic Auth:

ServiceDescription
stream-headFor HTTP based ingest on /ingest/events
prometheusFor HTTP query of the /prometheus service
versionFor HTTP query on /version which displays the current deployed version
validatorFor HTTP query on /validator to test transform

📘

Config API

The configuration API uses its own authentication mechanism using Bearer tokens. For more information, see Login to Hydrolix.

For example, to use Basic Auth in the stream and version service endpoints, add the following configuration:

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
    .............
spec:
  .........
  basic_auth:   <----- ADD
  - stream-head <----- ADD 
  - version     <----- ADD
  ...........

By default, Hydrolix uses the username hydrolix, generates a random password, and stores it as base64 data in the Kubernetes general Secret. You can retrieve the generated password with the following command:

kubectl get secret general -o jsonpath='{.data.TRAEFIK_PASSWORD}' | base64 -d ; echo

To authenticate with the default hydrolix username, use your generated password and domain in the following command:

curl -u hydrolix:<PASSWORD> https://$hostname/version

Modify the Curated Secret

The operator pod aggregates all the values from the curated secret and merges them into the dynamically generated general secret which is then fetched by the appropriate services.

Because of this, you should modify the curated Kubernetes Secret if you want to update this password. You can do so by running:

kubectl edit secrets curated

Modify the variable TRAEFIK_PASSWORD with your (base64-encoded) password.

Per-Service Credentials

Each service can use a different password with Basic Auth. To use per-service credentials, add entries to the curated secret.

Per-service credentials use a different username for each endpoint with a distinct password. This follows the pattern hydrolix-$<SERVICE-NAME>.

The following example sets a password for the Traefik Stream Head service endpoint:

---
apiVersion: v1
kind: Secret
metadata:
  name: curated
  namespace: $HDX_KUBERNETES_NAMESPACE
stringData:
  TRAEFIK_STREAM_HEAD_PASSWORD: mousie-thou-art-no-thy-lane
type: Opaque

To authenticate with the Stream Head in this example, use the following:

  • username: hydrolix-stream-head
  • password: mousie-thou-art-no-thy-lane