Create an Ingress with Basic Authentication for SUSE Storage Using Traefik

If you install SUSE Storage on a Kubernetes cluster with kubectl or Helm, you need to create an Ingress so external traffic can reach the SUSE Storage UI.

Authentication is not enabled by default when SUSE Storage is installed with kubectl or Helm. This guide shows how to expose the SUSE Storage UI with Traefik, protect it with basic authentication, and configure support for large file uploads such as backing images.

With ingress-nginx retired by the Kubernetes project, Traefik is a practical alternative for Kubernetes environments, especially because it supports standard Ingress resources, dynamic updates, and reusable middleware components. Kubernetes officially announced ingress-nginx retirement in November 2025, with best-effort maintenance ending in March 2026

Why Traefik?

Traefik is a good fit for this use case for several reasons:

• It works with standard Kubernetes Ingress resources.
• It supports reusable middleware components for features such as authentication, request buffering, rate limiting, redirects, and headers.
• Its Kubernetes Ingress provider watches Ingress changes and derives dynamic routing configuration automatically.
• It is the default ingress controller in K3s and RKE2, which makes it especially relevant for lightweight Kubernetes distributions commonly used in edge and lab environments.
  • These instructions assume that the Traefik Ingress Controller is already installed and running in your cluster. Traefik is commonly used by default in K3s and RKE2, but in other environments you may need to install it manually first. You can verify that it is running with:

    kubectl get pods -A | grep traefik

  • Traefik also supports a CRD-based resource named IngressRoute, which provides more advanced routing capabilities than a standard Kubernetes Ingress. In this guide, we use the standard Ingress resource for simplicity and compatibility, while still taking advantage of Traefik middleware through annotations. Traefik documents IngressRoute as its CRD-based routing model, while its Kubernetes Ingress provider continues to support standard Ingress resources.

Security Considerations

Basic authentication is simple and useful for quick protection of the SUSE Storage UI, but it should only be used over HTTPS. Basic Auth credentials are sent with each request, so exposing them over plain HTTP is not recommended for production.

For production environments, Traefik can also be combined with additional protections such as IP allow lists, rate limiting, security headers, and external authentication through ForwardAuth. These are all supported middleware patterns in Traefik Proxy.

Prerequisites

Before you begin, make sure:

• SUSE Storage is installed in the longhorn-system namespace
• Traefik is installed and running in the cluster
• The Traefik Kubernetes CRDs are installed, because Middleware is a Traefik CRD resource. Traefik documents that Middleware must be registered in the cluster before Middleware objects can be created.

1. Create a Basic Auth Secret

Create a basic auth file named auth. The secret must contain a key named auth, which will be used by the Traefik basicAuth middleware.

USER=<USERNAME_HERE>
PASSWORD=<PASSWORD_HERE>
echo "${USER}:$(openssl passwd -stdin -apr1 <<< ${PASSWORD})" > auth

Create the secret in the longhorn-system namespace:

kubectl -n longhorn-system create secret generic basic-auth --from-file=auth

This approach creates an htpasswd-style entry with a hashed password, which is better than storing a plain username and password directly in a secret field. Traefik documents BasicAuth support and the use of Kubernetes secrets for this purpose.

2. Create Traefik Middlewares

Traefik uses middlewares to apply features such as authentication and request handling rules. In this example, we create:

• a basicAuth middleware to protect the SUSE Storage UI
• a buffering middleware to allow large backing image uploads

Create a file named longhorn-middlewares.yaml:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: longhorn-auth
  namespace: longhorn-system
spec:
  basicAuth:
    secret: basic-auth
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: longhorn-buffering
  namespace: longhorn-system
spec:
  buffering:
    # Allows backing image uploads up to 10,000MB
    maxRequestBodyBytes: 10485760000

Apply the configuration:

kubectl apply -f longhorn-middlewares.yaml

Traefik documents Middleware as a Kubernetes CRD and defines buffering.maxRequestBodyBytes as the request size limit. This is especially important for SUSE Storage because backing image uploads can be large. Without an appropriate request body limit, oversized upload requests may be rejected at the ingress layer before they ever reach the SUSE Storage frontend service.

3. Create the Ingress Manifest

Now create an Ingress resource for the SUSE Storage UI and attach both middlewares through a Traefik annotation.

Create a file named longhorn-ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: longhorn-ingress
  namespace: longhorn-system
  annotations:
    # Connect the middlewares defined in step 2
    traefik.ingress.kubernetes.io/router.middlewares: 
      longhorn-system-longhorn-auth@kubernetescrd,
      longhorn-system-longhorn-buffering@kubernetescrd
spec:
  ingressClassName: traefik
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: longhorn-frontend
            port:
              number: 80

Apply it:

kubectl apply -f longhorn-ingress.yaml

Traefik documents the router.middlewares annotation for Kubernetes Ingress and shows that middleware references are provided as a comma-separated list using provider syntax such as @kubernetescrd.

Additional Traefik Features You Can Add

One advantage of Traefik is that the same Ingress can be extended over time with additional security and operational features. Depending on your environment, you may want to enable TLS to secure traffic, redirect HTTP to HTTPS, restrict access with IP allow lists, add security-related response headers, and apply rate limiting to reduce abuse. Traefik also provides observability features such as access logs, metrics, and tracing, which can help monitor and troubleshoot traffic to the SUSE Storage UI.

Conclusion

With ingress-nginx retired, Traefik is a practical way to expose the SUSE Storage UI on Kubernetes while keeping the configuration modular and Kubernetes-native. By combining a standard Kubernetes Ingress with Traefik middlewares, you can add basic authentication and support for large backing image uploads without changing the SUSE Storage service itself.

For production deployments, enable TLS and consider adding other Traefik protections such as IP allow lists, redirects, and security headers.

References

• Traefik BasicAuth documentation
• Traefik Buffering documentation
• Traefik Kubernetes Ingress documentation
• Traefik Kubernetes Middleware documentation
• Kubernetes blog: ingress-nginx retirement announcement and follow-up statement