This guide describes how to configure HTTP Basic Authentication for applications running behind a Datum gateway using datumctl. The configuration uses Envoy Gateway SecurityPolicy resources and applies to Windows, macOS, and Linux.
Overview
HTTP Basic Authentication protects an application by requiring a username and password before requests are forwarded to the origin.
At a high level, this setup:
- Generates credentials in htpasswd (SHA) format
- Stores credentials in a Kubernetes Secret
- Labels the Secret so it is synced to edge clusters
- Attaches a SecurityPolicy to an
HTTPRoute
- Verifies authentication behavior
Prerequisites
datumctl installed and authenticated
- A valid Project
- Existing:
- Permission to create:
Verify access:
Critical requirement: secret syncing
Secrets and ConfigMaps referenced by gateway configurations are not automatically synced to edge clusters.
To make a Secret available to edge gateways, it must include the following label:
Why this matters
- Without this label, the gateway receives the policy but not the Secret
- Envoy fails to load the Basic Auth credentials
- All requests return HTTP 500 instead of a login prompt
This requirement exists to prevent accidental replication of unrelated secrets.
Configuration steps
Step 1: Set variables
Windows (PowerShell)
macOS / Linux
Step 2: Generate htpasswd entry (SHA)
Envoy Gateway currently supports SHA-based htpasswd entries only.
Other formats (bcrypt, APR1) are not supported and will cause failures.
Windows (PowerShell)
macOS / Linux
Step 3: Create the secret
The Secret must:
- Use the key
.htpasswd
- Exist in the same namespace as the
SecurityPolicy
- Include the gateway-sync label
Windows (PowerShell)
macOS / Linux
Step 4: Attach Basic Auth using a SecurityPolicy
Attach the policy to the HTTPRoute. This is the most reliable attachment point.
Windows (PowerShell)
macOS / Linux
Verification
Unauthenticated request
Expected response:
Browsers will display a login prompt.
Authenticated request
Expected response:
Cleanup / disable Basic Auth
Windows (PowerShell)
macOS / Linux
Troubleshooting
Common failure modes
Useful debug commands
Best practices
- Use Basic Auth for development, demos, and staging environments
- Rotate credentials regularly
- Store credentials securely using CI secrets or a secret manager
- Use JWT, OIDC, or SSO for production authentication
Summary
- HTTP Basic Auth is configured using Envoy Gateway
SecurityPolicy
- Secrets must be explicitly synced to edge clusters using the
gateway-sync label
{SHA} htpasswd format is required — bcrypt and APR1 are not supported
- Attaching policies to
HTTPRoute is the most reliable approach
Last modified on July 6, 2026