BestHub
Sign in
Cloud Native 5 min read

Secure Envoy Gateway with Basic Auth and Kubernetes Secrets

This guide walks through enabling Basic Authentication in Envoy Gateway by creating an .htpasswd file, storing it as a Kubernetes Secret, applying a SecurityPolicy, and verifying access with curl, while highlighting important security considerations such as using HTTPS.

Linux Ops Smart Journey
Linux Ops Smart Journey
Linux Ops Smart Journey
Secure Envoy Gateway with Basic Auth and Kubernetes Secrets

In production environments protecting internal services from unauthorized access is essential. While modern methods like OAuth2 and JWT are common, Basic Authentication remains a simple and efficient solution for internal tools, testing environments, or legacy system integration.

How Basic Auth works

The client concatenates username:password into a string.

The string is Base64‑encoded (note: this is encoding, not encryption).

The encoded string is placed in the HTTP header Authorization: Basic <encoded_string>.

Tip: Base64 encoding can be decoded easily, so the credentials are not secret.

Step 1: Create an .htpasswd file

# Install htpasswd tool
apt install apache2-utils   # Ubuntu/Debian
yum install httpd-tools      # CentOS

# Create .htpasswd file
htpasswd -cs .htpasswd jiaxzeng
# For an existing file, add or update users
htpasswd -s .htpasswd test

Step 2: Create a Kubernetes Secret from the .htpasswd file

kubectl create secret generic basic-auth --from-file=.htpasswd
# Output: secret/basic-auth created

Step 3: Define a SecurityPolicy that references the secret

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: basic-auth-example
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: simple
  basicAuth:
    users:
      name: "basic-auth"

Apply the policy with kubectl apply -f -. The command creates securitypolicy.gateway.envoyproxy.io/basic-auth-example.

Verification with curl

curl -v -H "Host: www.simple.com" http://172.139.20.19:30874/ping

The response shows 401 Unauthorized and a WWW-Authenticate: Basic realm="http://www.simple.com/ping" header, confirming that authentication is required.

Tip: Basic Auth should always be used over HTTPS; without TLS the credentials are exposed in clear text.

Conclusion

Enabling Basic Authentication in Envoy Gateway provides a solid first line of defense and integrates smoothly with other features such as rate limiting, CORS, JWT authentication, and TLS termination, all following the Gateway API standard. Mastering these configurations is valuable for cloud‑native engineers and platform operators.

cloud-nativeKubernetesEnvoy Gatewaybasic-auth
Linux Ops Smart Journey
Written by

Linux Ops Smart Journey

The operations journey never stops—pursuing excellence endlessly.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment