Support for basic nginx-ingress authentication

Signed-off-by: Vladica Obojevic <obojevic@gmail.com>
eclipse-ditto · Jul 21, 2023 · 91755b9 · 91755b9
1 parent 98ef928
commit 91755b9
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/deployment/helm/ditto/templates/nginx-ingress-auth.yaml b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml
@@ -0,0 +1,36 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.ingress.enabled -}}
+{{- $releaseName := .Release.Name -}}
+{{- $name := include "ditto.name" . -}}
+{{- $labels := include "ditto.labels" . -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $releaseName }}-nginx-ingress-htpasswd
+  labels:
+    app.kubernetes.io/name: {{ $name }}-nginx-ingress-config
+{{ $labels | indent 4 }}
+type: Opaque
+stringData:
+  auth: |-
+{{- if .Values.global.hashedBasicAuthUsers }}
+{{ range .Values.global.hashedBasicAuthUsers }}
+{{- . | indent 4 }}
+{{ end }}
+{{- else }}
+{{ range $key, $value := .Values.global.basicAuthUsers }}
+{{- (htpasswd $value.user $value.password) | indent 4 }}
+{{ end }}
+{{ end }}
+---
+{{- end }}
diff --git a/deployment/helm/ditto/templates/nginx-ingress.yaml b/deployment/helm/ditto/templates/nginx-ingress.yaml
@@ -134,6 +134,8 @@ data:
     proxy_set_header X-Original-URI $request_uri;
 
     # set ditto-specific forwarded headers
+    proxy_set_header        X-Forwarded-User              $remote_user;
+    proxy_set_header        x-ditto-pre-authenticated     "nginx:$remote_user";
 
   proxy-connect-timeout: "10" # seconds, default: 60
   # timeouts are configured slightly higher than gateway read-timeout of 60 seconds
@@ -558,6 +560,7 @@ spec:
       annotations:
         prometheus.io/port: "10254"
         prometheus.io/scrape: "true"
+        checksum/nginx-auth: {{ include (print $.Template.BasePath "/nginx-ingress-auth.yaml") . | sha256sum }}
     spec:
       priorityClassName: high-priority
       serviceAccountName: nginx-ingress-serviceaccount

diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml
@@ -219,6 +219,12 @@ ingress:
         backendSuffix: gateway
     # annotations defines k8s annotations to add to the Ingress
     annotations:
+      # type of authentication
+      nginx.ingress.kubernetes.io/auth-type: basic
+      # name of the secret that contains the user/password definitions
+      nginx.ingress.kubernetes.io/auth-secret: my-ditto-nginx-ingress-htpasswd
+      # message to display with an appropriate context why the authentication is required
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required to use HTTP API!'
       nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
       nginx.ingress.kubernetes.io/proxy-send-timeout: "70"
       nginx.ingress.kubernetes.io/proxy-read-timeout: "70"