OH3 behind a traefik ingress in k3s (kubernetes) with basic auth


I already found this thread:

and this:

and saw the documentation about oh3 installation here:

But I was still not successful to get it up and running in an k3s environment (traefik 1.7 and kubernetes).

Has someone here managed to get the new oh3 authentication up and running behind a basic auth secured traefik reverse proxy? Can someone point me to the necessary yaml-Configs?

Looks like I’m the first with such a setup. I solved it by defining the ingress like that:

apiVersion: networking.k8s.io/v1
kind: Ingress
  name: openhab3
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/auth-type: basic
    traefik.ingress.kubernetes.io/auth-secret: authsecret
    ingress.kubernetes.io/custom-request-headers: "cookie: X-OPENHAB-AUTH-HEADER=true"
    ingress.kubernetes.io/custom-response-headers: "cookie: X-OPENHAB-AUTH-HEADER=true"
    ingress.kubernetes.io/auth-remove-header: "true"
  - host: myremoteoh.domain.de
      - path: /
        pathType: Prefix
            name: openhab3
              number: 8080

The “authsecret” is the name of the kubernetes secret that keeps the password for the basic auth protection.

Would be great to have this for traefik in the openhab3 documentation, too.

1 Like

Someone knows how translate this to nginx ingress instead ? Thanks !


i’m using OH4 in Kubernetes behind an traefik ingress to access the openhab REST-API and web site.

Basic Auth works. I’m also able to login.

After this i see an Authorization Header from Basic Auth and a X-OPENHAB-TOKEN from the login process. But if i simply reload the page the X-OPENHAB-TOKEN is gone and i have to login again.

This is no intended, isn’t it? Or is this a problem of my ingress configuration?

I have the same configuration

What i see if refresh the site is an request to https://xxx/rest/auth/token. The result of this request is 400 {“error”:“invalid_grant”}

It seems that someone drops the X-OPENHAB-SESSIONID-Cookie. The Request /rest/auth/token?useCookie=true should set this cookie but it doesn’t.

Any Ideas?