API Key Authentication
The API Key authentication middleware allows you to secure an API by requiring a secret key, base64 encoded or not, to be given, via an HTTP header, a cookie or a query parameter.
Configuration Example
- Middleware API Key
- Values Secret
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-apikey
namespace: apps
spec:
plugin:
apiKey:
keySource:
headerAuthScheme: Bearer
header: Authorization
secretNonBase64Encoded: true
secretValues:
- "urn:k8s:secret:apikey:secret"
- "urn:k8s:secret:apikey:othersecret"
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: apikey
namespace: whoami
stringData:
secret: $2y$05$D4SPFxzfWKcx1OXfVhRbvOTH/QB0Lm6AXTk8.NOmU4rPLX2t6UUuW # htpasswd -nbB "" foo | cut -c 2-
othersecret: $2y$05$HbLL.g5dUqJippH0RuAGL.RaM9wNS2cT7hp6.vbv5okdCmVBSDzzK # htpasswd -nbB "" bar | cut -c 2-
Configuration Options
| Field | Description | Default | Required |
|---|---|---|---|
keySource.header | Defines the header name containing the secret sent by the client. Either keySource.header or keySource.header or keySource.header must be set. | "" | No |
keySource.headerAuthScheme | Defines the scheme when using Authorization as header name. Check out the Authorization header documentation. | "" | No |
keySource.query | Defines the query parameter name containing the secret sent by the client.. Either keySource.header or keySource.header or keySource.header must be set. | "" | No |
keySource.cookie | Defines the cookie name containing the secret sent by the client.. Either keySource.header or keySource.header or keySource.header must be set. | "" | No |
secretNonBase64Encoded | Defines whether the secret sent by the client is base64 encoded. | false | No |
secretValues | Contain the hash of the API keys. Supported hashing algorithms are Bcrypt, SHA1 and MD5. The hash should be generated using htpasswd.Can reference a Kubernetes Secret using the URN format: urn:k8s:secret:[name]:[valueKey] | [] | Yes |