Merge pull request #1702 from vladica/feature/basic_nginx_ingress_auth

Support for basic nginx-ingress authentication
eclipse-ditto · Jul 26, 2023 · 29277b4 · 29277b4
2 parents 58ce86b + c031c28
commit 29277b4
Show file tree

Hide file tree

Showing 5 changed files with 45 additions and 1 deletion.
diff --git a/deployment/helm/ditto/Chart.yaml b/deployment/helm/ditto/Chart.yaml
@@ -16,7 +16,7 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.3.5  # chart version is effectively set by release-job
+version: 3.3.6  # chart version is effectively set by release-job
 appVersion: 3.3.5
 keywords:
   - iot-chart

diff --git a/deployment/helm/ditto/templates/nginx-ingress-api.yaml b/deployment/helm/ditto/templates/nginx-ingress-api.yaml
@@ -22,6 +22,7 @@ metadata:
   {{- with .Values.ingress.annotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}
+    {{ tpl .Values.ingress.api.kubernetesAuthAnnotations . | nindent 4}}
   {{- with .Values.ingress.api.annotations }}
     {{- toYaml . | nindent 4 }}
   {{- end }}

diff --git a/deployment/helm/ditto/templates/nginx-ingress-auth.yaml b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml
@@ -0,0 +1,36 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.ingress.enabled -}}
+{{- $releaseName := .Release.Name -}}
+{{- $name := include "ditto.name" . -}}
+{{- $labels := include "ditto.labels" . -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $releaseName }}-nginx-ingress-htpasswd
+  labels:
+    app.kubernetes.io/name: {{ $name }}-nginx-ingress-config
+{{ $labels | indent 4 }}
+type: Opaque
+stringData:
+  auth: |-
+{{- if .Values.global.hashedBasicAuthUsers }}
+{{ range .Values.global.hashedBasicAuthUsers }}
+{{- . | indent 4 }}
+{{ end }}
+{{- else }}
+{{ range $key, $value := .Values.global.basicAuthUsers }}
+{{- (htpasswd $value.user $value.password) | indent 4 }}
+{{ end }}
+{{ end }}
+---
+{{- end }}
diff --git a/deployment/helm/ditto/templates/nginx-ingress.yaml b/deployment/helm/ditto/templates/nginx-ingress.yaml
@@ -134,6 +134,8 @@ data:
     proxy_set_header X-Original-URI $request_uri;
 
     # set ditto-specific forwarded headers
+    proxy_set_header        X-Forwarded-User              $remote_user;
+    proxy_set_header        x-ditto-pre-authenticated     "nginx:$remote_user";
 
   proxy-connect-timeout: "10" # seconds, default: 60
   # timeouts are configured slightly higher than gateway read-timeout of 60 seconds
@@ -558,6 +560,7 @@ spec:
       annotations:
         prometheus.io/port: "10254"
         prometheus.io/scrape: "true"
+        checksum/nginx-auth: {{ include (print $.Template.BasePath "/nginx-ingress-auth.yaml") . | sha256sum }}
     spec:
       priorityClassName: high-priority
       serviceAccountName: nginx-ingress-serviceaccount

diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml
@@ -217,6 +217,10 @@ ingress:
         backendSuffix: gateway
       - path: /health
         backendSuffix: gateway
+    kubernetesAuthAnnotations: |
+      nginx.ingress.kubernetes.io/auth-type: basic
+      nginx.ingress.kubernetes.io/auth-secret: {{ .Release.Name }}-nginx-ingress-htpasswd
+      nginx.ingress.kubernetes.io/auth-realm: 'Authentication required to use HTTP API!'
     # annotations defines k8s annotations to add to the Ingress
     annotations:
       nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"