How to Password-Protect a Preview Environment in GitHub Actions
Add an nginx ingress basic-auth annotation and a per-preview htpasswd secret so previews are not publicly reachable.
Preview URLs are guessable, so gate them. With the nginx ingress controller, create an htpasswd secret and set the auth-type and auth-secret annotations on the preview ingress. Deploy both from the workflow.
Steps
- Generate an htpasswd entry and store it in a namespaced secret.
- Add
nginx.ingress.kubernetes.io/auth-type: basicandauth-secret. - Deploy the ingress with those annotations for the preview.
Workflow
.github/workflows/preview.yml
jobs:
preview:
runs-on: ubuntu-latest
env:
NS: pr-${{ github.event.pull_request.number }}
steps:
- run: |
htpasswd -cbB auth reviewer "${{ secrets.PREVIEW_PASSWORD }}"
kubectl create secret generic basic-auth --from-file=auth -n "$NS" \
--dry-run=client -o yaml | kubectl apply -f -
- run: |
helm upgrade --install "$NS" ./chart --namespace "$NS" \
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/auth-type"=basic \
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/auth-secret"=basic-authGotchas
- The htpasswd secret must live in the same namespace as the ingress.
- Store the shared password as a secret; never commit it to the chart values.
Related guides
How to Assign a Subdomain Per Preview Environment in GitHub ActionsGive each preview a stable subdomain in GitHub Actions by deriving a per-PR hostname and configuring ingress…
How to Manage Preview Environment Secrets in GitHub ActionsScope non-production secrets to preview deploys in GitHub Actions with a dedicated Environment, keeping produ…