BestHub
search
Sign in
Cloud Native 7 min read

Configuring HTTP Basic Authentication with Envoy Gateway SecurityPolicy

This article explains Envoy Gateway's SecurityPolicy, introduces HTTP Basic Authentication, and provides step‑by‑step instructions—including .htpasswd generation, Kubernetes Secret creation, and SecurityPolicy manifest—to enable basic auth for an HTTPRoute and verify it with curl.

Cloud Native Technology Community
Cloud Native Technology Community
Cloud Native Technology Community
Configuring HTTP Basic Authentication with Envoy Gateway SecurityPolicy

What is Envoy Gateway SecurityPolicy?

Envoy Gateway SecurityPolicy is an extension resource for the Kubernetes Gateway API that uses the Policy Attachment mechanism to add capabilities such as CORS, JWT, OIDC, and Basic Auth to Envoy Gateway.

What is HTTP Basic Authentication?

HTTP Basic Authentication is a simple credential‑based authentication scheme where the client sends a Base64‑encoded username and password in the Authorization header after receiving a 401 Unauthorized response.

GET /resource/ HTTP/1.1
Host: example.com
Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

Although simple, Basic Auth is widely used in gateway scenarios. Envoy previously lacked a built‑in Basic Auth filter, so a custom HTTP Basic Auth filter was implemented and integrated into Envoy Gateway.

Configuring HTTP Basic Authentication in Envoy Gateway

First, generate an .htpasswd file using the htpasswd command:

$ htpasswd -cbs .htpasswd foo bar
Adding password for user foo

The resulting file contains entries such as:

foo:{SHA}Ys23Ag/5IOWqZCw9QGaVDdHwH00=

Additional users can be added similarly:

$ htpasswd -bs .htpasswd foo1 bar1
foo:{SHA}Ys23Ag/5IOWqZCw9QGaVDdHwH00=
foo1:{SHA}djZ11qHY0KOijeymK7aKvYuvhvM=

Create a Kubernetes Secret from the .htpasswd file:

$ kubectl create secret generic basic-auth --from-file=.htpasswd

The Secret stores the file content Base64‑encoded:

apiVersion: v1
data:
  .htpasswd: Zm9vOntTSEF9...
kind: Secret
metadata:
  name: basic-auth
type: Opaque

Apply a SecurityPolicy that references the Secret and the target HTTPRoute:

cat <

This attaches Basic Authentication to the backend HTTPRoute.

Verification

Requesting the route without credentials returns 401 Unauthorized:

curl -v -H "Host: www.example.com" "http://${GATEWAY_HOST}/"
... 401 Unauthorized ...

Providing the correct username and password succeeds:

curl -v -H "Host: www.example.com" -u 'foo:bar' "http://${GATEWAY_HOST}/"
... 200 OK ...

Conclusion

The guide demonstrates how to use Envoy Gateway SecurityPolicy to protect an HTTPRoute with HTTP Basic Authentication, covering .htpasswd generation, Secret creation, manifest application, and testing.

KubernetesGateway APIEnvoy GatewayHTTP Basic AuthSecurityPolicy
Cloud Native Technology Community
Written by

Cloud Native Technology Community

The Cloud Native Technology Community, part of the CNBPA Cloud Native Technology Practice Alliance, focuses on evangelizing cutting‑edge cloud‑native technologies and practical implementations. It shares in‑depth content, case studies, and event/meetup information on containers, Kubernetes, DevOps, Service Mesh, and other cloud‑native tech, along with updates from the CNBPA alliance.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment