Enable Basic Authorization
For endpoint security, Hydrolix offers the ability to use Basic Authorization for endpoints. To enable Basic Authentication, add basic_auth to the hydrolixcluster yaml configuration file, listing the services that should use Basic Auth. The following endpoints can use Basic Auth:
| Service | Description |
|---|---|
| stream-head | For HTTP based ingest on /ingest/events |
| prometheus | For HTTP query of the /prometheus service |
| version | For HTTP query on /version which displays the current deployed version |
| validator | For HTTP query on /validator to test transform |
Config API
The configuration API uses its own authorization mechanism using
Bearer tokens. For more information, see Login to Hydrolix.
For example, to use Basic Auth in the stream and version service endpoints, add the following configuration:
apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
.............
spec:
.........
basic_auth: <----- ADD
- stream-head <----- ADD
- version <----- ADD
...........
By default, Hydrolix uses the username hydrolix, generates a random password, and stores it as base64 data in the Kubernetes general secret. You can retrieve the generated password with the following command:
kubectl get secret general -o jsonpath='{.data.TRAEFIK_PASSWORD}' | base64 -d ; echo
To authenticate with the default hydrolix username, use your generated password and domain in the following command:
curl -u hydrolix:<PASSWORD> https://$hostname/version
Modify the Default Secret
You can modify the default password by updating the kubernetes secret:
kubectl edit secrets general
Modify the variable TRAEFIK_PASSWORD with your (base64-encoded) password.
Per-Service Credentials
Each service can use a different password with Basic Auth. To use per-service credentials, add entries to the curated secret.
Per-service credentials use a different username for each endpoint with a distinct password. This follows the pattern hydrolix-$<SERVICE_NAME>.
The following example sets a password for the Traefik Stream Head service endpoint:
---
apiVersion: v1
kind: Secret
metadata:
name: curated
namespace: $HDX_KUBERNETES_NAMESPACE
stringData:
TRAEFIK_STREAM_HEAD_PASSWORD: mousie-thou-art-no-thy-lane
type: Opaque
To authenticate with the Stream Head in this example, use the following:
- username:
hydrolix-stream-head - password:
mousie-thou-art-no-thy-lane
Updated about 1 month ago