By-default, dashboard is not protected and available for everyone.
To restrict access ingress-dashboard supports following methods:
- basic authorization
- OIDC provider
Regardless of selected authorization ALWAYS use secured connection (ie: TLS/HTTPS)
Basic authorization assumes static username and password. It is not the best option from security perspective, but good enough for internal usage or for testing.
For proper protection and for enterprise usage consider using OIDC.
To enable basic authorization, provide following environment variables:
AUTH=basic- switch auth mode to HTTP basic
BASIC_USER=<your user name>- desired user name (commonly
BASIC_PASSWORD=<password>- desired user password
Password is critical value so consider using secrets to store it.
OIDC is industry standard for OAuth 2 Identity Providers (IDP) integration.
OIDC supported by many providers including (incomplete list):
- and many more
To connect ingress-dashboard to IDP you need to obtain:
- issuer URL
- client ID and client secret
To enable OIDC authorization, provide following environment variables:
AUTH=oidc- switch auth mode to OIDC
OIDC_ISSUER=<issuer-url>- IDP URL (ex: for Keycloak it will be
CLIENT_ID=<client-id>- client ID from IDP
CLIENT_SECRET=<password>- client secret from IDP (sensitive information - use secrets to store)
SERVER_URL=<public URL>- (optional) URL of ingress-dashboard, used for redirects. If not set, dashboard will rely on Host header.
--- apiVersion: apps/v1 kind: Deployment metadata: # ... name: dashboard namespace: ingress-dashboard spec: # ... template: # ... spec: containers: - name: dashboard # ... env: # ... - name: AUTH value: "oidc" - name: CLIENT_ID value: my-client-id-in-idp - name: CLIENT_SECRET valueFrom: secretKeyRef: name: my-secret-storage key: client_secret - name: OIDC_ISSUER value: https://my-idp.example.com/ - name: SERVER_URL value: https://example.com # ...