Skip to main content
This guide describes how to configure HTTP Basic Authentication for applications running behind a Datum gateway using datumctl. The configuration uses Envoy Gateway SecurityPolicy resources and applies to Windows, macOS, and Linux.

Overview

HTTP Basic Authentication protects an application by requiring a username and password before requests are forwarded to the origin. At a high level, this setup:
  1. Generates credentials in htpasswd (SHA) format
  2. Stores credentials in a Kubernetes Secret
  3. Labels the Secret so it is synced to edge clusters
  4. Attaches a SecurityPolicy to an HTTPRoute
  5. Verifies authentication behavior

Prerequisites

  • datumctl installed and authenticated
  • A valid Project
  • Existing:
    • Gateway
    • HTTPRoute
  • Permission to create:
    • Secret
    • SecurityPolicy
Verify access:

Critical requirement: secret syncing

Secrets and ConfigMaps referenced by gateway configurations are not automatically synced to edge clusters. To make a Secret available to edge gateways, it must include the following label:

Why this matters

  • Without this label, the gateway receives the policy but not the Secret
  • Envoy fails to load the Basic Auth credentials
  • All requests return HTTP 500 instead of a login prompt
This requirement exists to prevent accidental replication of unrelated secrets.

Configuration steps

Step 1: Set variables

Windows (PowerShell)

macOS / Linux


Step 2: Generate htpasswd entry (SHA)

Envoy Gateway currently supports SHA-based htpasswd entries only. Other formats (bcrypt, APR1) are not supported and will cause failures.

Windows (PowerShell)

macOS / Linux


Step 3: Create the secret

The Secret must:
  • Use the key .htpasswd
  • Exist in the same namespace as the SecurityPolicy
  • Include the gateway-sync label

Windows (PowerShell)

macOS / Linux


Step 4: Attach Basic Auth using a SecurityPolicy

Attach the policy to the HTTPRoute. This is the most reliable attachment point.

Windows (PowerShell)

macOS / Linux


Verification

Unauthenticated request

Expected response:
Browsers will display a login prompt.

Authenticated request

Expected response:

Cleanup / disable Basic Auth

Windows (PowerShell)

macOS / Linux


Troubleshooting

Common failure modes

Useful debug commands


Best practices

  • Use Basic Auth for development, demos, and staging environments
  • Rotate credentials regularly
  • Store credentials securely using CI secrets or a secret manager
  • Use JWT, OIDC, or SSO for production authentication

Summary

  • HTTP Basic Auth is configured using Envoy Gateway SecurityPolicy
  • Secrets must be explicitly synced to edge clusters using the gateway-sync label
  • {SHA} htpasswd format is required — bcrypt and APR1 are not supported
  • Attaching policies to HTTPRoute is the most reliable approach
Last modified on July 6, 2026