Enable Basic Authentication


Basic Authentication is being replaced...

...by Unified Authentication, which uses the same user accounts and passwords set up in the API. Basic Authentication is incompatible with Unified Authentication, which was on by default starting with the 4.6 release.

For endpoint security, Hydrolix offers the ability to use Basic Authentication for endpoints. To enable Basic Authentication, add basic_auth to the hydrolixcluster yaml configuration file, listing the services that should use Basic Auth. The following endpoints can use Basic Auth:

stream-headFor HTTP based ingest on /ingest/events
prometheusFor HTTP query of the /prometheus service
versionFor HTTP query on /version which displays the current deployed version
validatorFor HTTP query on /validator to test transform


Config API

The configuration API uses its own authentication mechanism using Bearer tokens. For more information, see Login to Hydrolix.

For example, to use Basic Auth in the stream and version service endpoints, add the following configuration:

apiVersion: hydrolix.io/v1
kind: HydrolixCluster
  basic_auth:   <----- ADD
  - stream-head <----- ADD 
  - version     <----- ADD

By default, Hydrolix uses the username hydrolix, generates a random password, and stores it as base64 data in the Kubernetes general secret. You can retrieve the generated password with the following command:

kubectl get secret general -o jsonpath='{.data.TRAEFIK_PASSWORD}' | base64 -d ; echo

To authenticate with the default hydrolix username, use your generated password and domain in the following command:

curl -u hydrolix:<PASSWORD> https://$hostname/version

Modify the Default Secret

You can modify the default password by updating the kubernetes secret:

kubectl edit secrets general

Modify the variable TRAEFIK_PASSWORD with your (base64-encoded) password.

Per-Service Credentials

Each service can use a different password with Basic Auth. To use per-service credentials, add entries to the curated secret.

Per-service credentials use a different username for each endpoint with a distinct password. This follows the pattern hydrolix-$<SERVICE_NAME>.

The following example sets a password for the Traefik Stream Head service endpoint:

apiVersion: v1
kind: Secret
  name: curated
  TRAEFIK_STREAM_HEAD_PASSWORD: mousie-thou-art-no-thy-lane
type: Opaque

To authenticate with the Stream Head in this example, use the following:

  • username: hydrolix-stream-head
  • password: mousie-thou-art-no-thy-lane