Add support to provide existing kubernetes secret for nginx basic auth

Signed-off-by: Vasil Vasilev <vasil.vasilev@bosch.com>

deployment/helm/ditto/Chart.yaml

@@ -16,7 +16,7 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.5.3  # chart version is effectively set by release-job
+version: 3.6.0  # chart version is effectively set by release-job
 appVersion: 3.5.3
 keywords:
   - iot-chart

deployment/helm/ditto/templates/nginx-auth.yaml

@@ -24,13 +24,24 @@ type: Opaque
 stringData:
   nginx.htpasswd: |-
 {{- if .Values.global.hashedBasicAuthUsers }}
-{{ range .Values.global.hashedBasicAuthUsers }}
-{{- . | indent 4 }}
-{{ end }}
+  {{ range .Values.global.hashedBasicAuthUsers }}
+    {{- . | indent 4 }}
+  {{ end }}
 {{- else }}
-{{ range $key, $value := .Values.global.basicAuthUsers }}
-{{- (htpasswd $value.user $value.password) | indent 4 }}
-{{ end }}
+  {{- if (quote .Values.global.existingSecret | empty) }}
+    {{ range $key, $value := .Values.global.basicAuthUsers }}
+      {{- (htpasswd $value.user $value.password) | indent 4 }}
+    {{ end }}
+  {{- else }}
+    {{- $secret := lookup "v1" "Secret" $.Release.Namespace .Values.global.existingSecret }}
+    {{- if $secret }}
+      {{- range $user, $password := $secret.data }}
+        {{ htpasswd $user ($password | b64dec) | indent 4 }}
+      {{- end }}
+    {{- else}}
+      {{- fail (printf "Missing provided existingSecret for basicAuthUsers: %s" .Values.global.existingSecret) }}
+    {{- end }}
+  {{ end }}
 {{ end }}
 ---
 {{- end }}

deployment/helm/ditto/templates/nginx-ingress-auth.yaml

@@ -24,13 +24,24 @@ type: Opaque
 stringData:
   auth: |-
 {{- if .Values.global.hashedBasicAuthUsers }}
-{{ range .Values.global.hashedBasicAuthUsers }}
-{{- . | indent 4 }}
-{{ end }}
+  {{ range .Values.global.hashedBasicAuthUsers }}
+    {{- . | indent 4 }}
+  {{ end }}
 {{- else }}
-{{ range $key, $value := .Values.global.basicAuthUsers }}
-{{- (htpasswd $value.user $value.password) | indent 4 }}
-{{ end }}
+  {{- if (quote .Values.global.existingSecret | empty) }}
+    {{ range $key, $value := .Values.global.basicAuthUsers }}
+      {{- (htpasswd $value.user $value.password) | indent 4 }}
+    {{ end }}
+  {{- else }}
+    {{- $secret := lookup "v1" "Secret" $.Release.Namespace .Values.global.existingSecret }}
+    {{- if $secret }}
+      {{- range $user, $password := $secret.data }}
+        {{ htpasswd $user ($password | b64dec) | indent 4 }}
+      {{- end }}
+    {{- else}}
+      {{- fail (printf "Missing provided existingSecret for basicAuthUsers: %s" .Values.global.existingSecret) }}
+    {{- end }}
+  {{ end }}
 {{ end }}
 ---
 {{- end }}

deployment/helm/ditto/values.yaml

@@ -74,6 +74,13 @@ global:
   #   password: ditto
   # - user: jane
   #   password: janesPw
+
+  # existingSecret contains the name of existing secret containing user and password
+  #  format: ${user}:${password}, where secret key is ${user} and value is ${password}
+  #  example creating secret for users ditto and jane:
+  #    kubectl create secret generic ditto-basic-auth --from-literal ditto=ditto --from-literal jane=janesPw
+  #  if not set then basicAuthUsers values are used.
+  existingSecret:
   # hashedBasicAuthUsers configures a list of hashed .htpasswd username/password entries
   hashedBasicAuthUsers: []
   # jwtOnly controls whether only OpenID-Connect authentication is supported