Secure Longhorn UI on Kubernetes: Add Basic Auth and Enable HTTPS
This guide walks you through securing the Longhorn UI in a Kubernetes environment by configuring basic authentication and enabling HTTPS via Ingress and cert‑manager, including prerequisite setup, secret creation, Helm upgrades, and verification steps to ensure production‑grade protection.
In the Kubernetes ecosystem, Longhorn is a popular distributed block storage solution, but its UI lacks authentication and HTTPS by default, allowing anyone who knows the IP and port to access and manipulate the storage system.
This article shows how to add two essential security layers to the Longhorn UI: basic username/password authentication and HTTPS encryption.
Prerequisites
An Ingress‑controller service is already deployed (see the "Helm implementation of high‑availability Ingress" article).
cert‑manager is installed (see the "Kubernetes certificate automation: cert‑manager installation guide" article).
An httpd environment is available to generate the credential file.
Security Hardening
The hardening consists of two parts:
Require credentials to access the Longhorn UI.
Configure the Longhorn UI to use HTTPS.
1. Generate UI username and password
sudo yum -y install httpd
htpasswd -c /tmp/longhorn-basic-auth jiaxzeng
New password:
Re-type new password:
Adding password for user jiaxzeng2. Create a secret containing the credentials
kubectl -n storage-system create secret generic longhorn-basic-auth --from-file=auth=/tmp/longhorn-basic-auth
secret/longhorn-basic-auth created3. Install Longhorn with Ingress configuration (basic auth)
ingress:
enabled: true
ingressClassName: nginx
host: longhorn.jiaxzeng.com
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: longhorn-basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
nginx.ingress.kubernetes.io/proxy-body-size: 10000m4. Configure HTTPS for the Longhorn UI
ingress:
enabled: true
ingressClassName: nginx
host: longhorn.jiaxzeng.com
tls: true
tlsSecret: longhorn.jiaxzeng.com-tls
annotations:
cert-manager.io/cluster-issuer: ca-cluster-issuer
nginx.ingress.kubernetes.io/proxy-body-size: 10000m5. Upgrade the Longhorn release
helm -n storage-system upgrade longhorn -f /etc/kubernetes/addons/longhorn-values.yaml /etc/kubernetes/addons/longhorn
Release "longhorn" has been upgraded. Happy Helming!
NAME: longhorn
LAST DEPLOYED: Wed Jun 4 23:17:27 2025
NAMESPACE: storage-system
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!
Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.
Visit our documentation at https://longhorn.io/docs/Verification
Check that the Ingress and certificate are correctly created:
k -n storage-system get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
longhorn-ingress nginx longhorn.jiaxzeng.com 10.109.195.237 80,443 109s
k -n storage-system get cert
NAME READY SECRET AGE
longhorn.jiaxzeng.com-tls True longhorn.jiaxzeng.com-tls 2m8sFinally, access the UI via a browser; the screenshot below shows the secured Longhorn UI login prompt.
Conclusion
Security is critical in cloud‑native environments, and every exposed component can become an attack vector. This article demonstrated how to add basic authentication and enable HTTPS for the Longhorn UI, helping you harden the service for production use.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.