diff --git a/deployment/helm/ditto/Chart.yaml b/deployment/helm/ditto/Chart.yaml index 13af5fb687..c7fab63261 100644 --- a/deployment/helm/ditto/Chart.yaml +++ b/deployment/helm/ditto/Chart.yaml @@ -16,7 +16,7 @@ description: | A digital twin is a virtual, cloud based, representation of his real world counterpart (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc). type: application -version: 3.3.5 # chart version is effectively set by release-job +version: 3.3.6 # chart version is effectively set by release-job appVersion: 3.3.5 keywords: - iot-chart diff --git a/deployment/helm/ditto/templates/nginx-ingress-api.yaml b/deployment/helm/ditto/templates/nginx-ingress-api.yaml index d1900b7ab8..4dde89e5be 100644 --- a/deployment/helm/ditto/templates/nginx-ingress-api.yaml +++ b/deployment/helm/ditto/templates/nginx-ingress-api.yaml @@ -22,6 +22,7 @@ metadata: {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} + {{ tpl .Values.ingress.api.kubernetesAuthAnnotations . | nindent 4}} {{- with .Values.ingress.api.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/deployment/helm/ditto/templates/nginx-ingress-auth.yaml b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml new file mode 100644 index 0000000000..9179f84a06 --- /dev/null +++ b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml @@ -0,0 +1,36 @@ +# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +{{- if .Values.ingress.enabled -}} +{{- $releaseName := .Release.Name -}} +{{- $name := include "ditto.name" . -}} +{{- $labels := include "ditto.labels" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $releaseName }}-nginx-ingress-htpasswd + labels: + app.kubernetes.io/name: {{ $name }}-nginx-ingress-config +{{ $labels | indent 4 }} +type: Opaque +stringData: + auth: |- +{{- if .Values.global.hashedBasicAuthUsers }} +{{ range .Values.global.hashedBasicAuthUsers }} +{{- . | indent 4 }} +{{ end }} +{{- else }} +{{ range $key, $value := .Values.global.basicAuthUsers }} +{{- (htpasswd $value.user $value.password) | indent 4 }} +{{ end }} +{{ end }} +--- +{{- end }} diff --git a/deployment/helm/ditto/templates/nginx-ingress.yaml b/deployment/helm/ditto/templates/nginx-ingress.yaml index 75c2f5abd6..8c05ee6721 100644 --- a/deployment/helm/ditto/templates/nginx-ingress.yaml +++ b/deployment/helm/ditto/templates/nginx-ingress.yaml @@ -134,6 +134,8 @@ data: proxy_set_header X-Original-URI $request_uri; # set ditto-specific forwarded headers + proxy_set_header X-Forwarded-User $remote_user; + proxy_set_header x-ditto-pre-authenticated "nginx:$remote_user"; proxy-connect-timeout: "10" # seconds, default: 60 # timeouts are configured slightly higher than gateway read-timeout of 60 seconds @@ -558,6 +560,7 @@ spec: annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" + checksum/nginx-auth: {{ include (print $.Template.BasePath "/nginx-ingress-auth.yaml") . | sha256sum }} spec: priorityClassName: high-priority serviceAccountName: nginx-ingress-serviceaccount diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml index 2f6649605e..fb6f628f45 100644 --- a/deployment/helm/ditto/values.yaml +++ b/deployment/helm/ditto/values.yaml @@ -217,6 +217,10 @@ ingress: backendSuffix: gateway - path: /health backendSuffix: gateway + kubernetesAuthAnnotations: | + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: {{ .Release.Name }}-nginx-ingress-htpasswd + nginx.ingress.kubernetes.io/auth-realm: 'Authentication required to use HTTP API!' # annotations defines k8s annotations to add to the Ingress annotations: nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"