Secure Longhorn UI on Kubernetes: Add Basic Auth and Enable HTTPS
This guide walks you through securing the Longhorn UI in a Kubernetes environment by configuring basic authentication and enabling HTTPS via Ingress and cert‑manager, including prerequisite setup, secret creation, Helm upgrades, and verification steps to ensure production‑grade protection.
In the Kubernetes ecosystem, Longhorn is a popular distributed block storage solution, but its UI lacks authentication and HTTPS by default, allowing anyone who knows the IP and port to access and manipulate the storage system.
This article shows how to add two essential security layers to the Longhorn UI: basic username/password authentication and HTTPS encryption.
Prerequisites
An Ingress‑controller service is already deployed (see the "Helm implementation of high‑availability Ingress" article).
cert‑manager is installed (see the "Kubernetes certificate automation: cert‑manager installation guide" article).
An
httpdenvironment is available to generate the credential file.
Security Hardening
The hardening consists of two parts:
Require credentials to access the Longhorn UI.
Configure the Longhorn UI to use HTTPS.
1. Generate UI username and password
<code>sudo yum -y install httpd
htpasswd -c /tmp/longhorn-basic-auth jiaxzeng
New password:
Re-type new password:
Adding password for user jiaxzeng</code>2. Create a secret containing the credentials
<code>kubectl -n storage-system create secret generic longhorn-basic-auth --from-file=auth=/tmp/longhorn-basic-auth
secret/longhorn-basic-auth created</code>3. Install Longhorn with Ingress configuration (basic auth)
<code>ingress:
enabled: true
ingressClassName: nginx
host: longhorn.jiaxzeng.com
annotations:
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: longhorn-basic-auth
nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
nginx.ingress.kubernetes.io/proxy-body-size: 10000m</code>4. Configure HTTPS for the Longhorn UI
<code>ingress:
enabled: true
ingressClassName: nginx
host: longhorn.jiaxzeng.com
tls: true
tlsSecret: longhorn.jiaxzeng.com-tls
annotations:
cert-manager.io/cluster-issuer: ca-cluster-issuer
nginx.ingress.kubernetes.io/proxy-body-size: 10000m</code>5. Upgrade the Longhorn release
<code>helm -n storage-system upgrade longhorn -f /etc/kubernetes/addons/longhorn-values.yaml /etc/kubernetes/addons/longhorn
Release "longhorn" has been upgraded. Happy Helming!
NAME: longhorn
LAST DEPLOYED: Wed Jun 4 23:17:27 2025
NAMESPACE: storage-system
STATUS: deployed
REVISION: 2
TEST SUITE: None
NOTES:
Longhorn is now installed on the cluster!
Please wait a few minutes for other Longhorn components such as CSI deployments, Engine Images, and Instance Managers to be initialized.
Visit our documentation at https://longhorn.io/docs/</code>Verification
Check that the Ingress and certificate are correctly created:
<code>k -n storage-system get ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
longhorn-ingress nginx longhorn.jiaxzeng.com 10.109.195.237 80,443 109s
k -n storage-system get cert
NAME READY SECRET AGE
longhorn.jiaxzeng.com-tls True longhorn.jiaxzeng.com-tls 2m8s</code>Finally, access the UI via a browser; the screenshot below shows the secured Longhorn UI login prompt.
Conclusion
Security is critical in cloud‑native environments, and every exposed component can become an attack vector. This article demonstrated how to add basic authentication and enable HTTPS for the Longhorn UI, helping you harden the service for production use.
Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.