Skip to content
Latchkey

How to Password-Protect a Preview Environment in GitHub Actions

Add an nginx ingress basic-auth annotation and a per-preview htpasswd secret so previews are not publicly reachable.

Preview URLs are guessable, so gate them. With the nginx ingress controller, create an htpasswd secret and set the auth-type and auth-secret annotations on the preview ingress. Deploy both from the workflow.

Steps

  • Generate an htpasswd entry and store it in a namespaced secret.
  • Add nginx.ingress.kubernetes.io/auth-type: basic and auth-secret.
  • Deploy the ingress with those annotations for the preview.

Workflow

.github/workflows/preview.yml
jobs:
  preview:
    runs-on: ubuntu-latest
    env:
      NS: pr-${{ github.event.pull_request.number }}
    steps:
      - run: |
          htpasswd -cbB auth reviewer "${{ secrets.PREVIEW_PASSWORD }}"
          kubectl create secret generic basic-auth --from-file=auth -n "$NS" \
            --dry-run=client -o yaml | kubectl apply -f -
      - run: |
          helm upgrade --install "$NS" ./chart --namespace "$NS" \
            --set ingress.annotations."nginx\.ingress\.kubernetes\.io/auth-type"=basic \
            --set ingress.annotations."nginx\.ingress\.kubernetes\.io/auth-secret"=basic-auth

Gotchas

  • The htpasswd secret must live in the same namespace as the ingress.
  • Store the shared password as a secret; never commit it to the chart values.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →