From 91755b9bb39f992cd6865141790badcad1f91802 Mon Sep 17 00:00:00 2001 From: Vladica Obojevic Date: Fri, 21 Jul 2023 12:28:57 +0200 Subject: [PATCH 1/3] Support for basic nginx-ingress authentication Signed-off-by: Vladica Obojevic --- .../ditto/templates/nginx-ingress-auth.yaml | 36 +++++++++++++++++++ .../helm/ditto/templates/nginx-ingress.yaml | 3 ++ deployment/helm/ditto/values.yaml | 6 ++++ 3 files changed, 45 insertions(+) create mode 100644 deployment/helm/ditto/templates/nginx-ingress-auth.yaml diff --git a/deployment/helm/ditto/templates/nginx-ingress-auth.yaml b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml new file mode 100644 index 0000000000..9179f84a06 --- /dev/null +++ b/deployment/helm/ditto/templates/nginx-ingress-auth.yaml @@ -0,0 +1,36 @@ +# Copyright (c) 2023 Contributors to the Eclipse Foundation +# +# See the NOTICE file(s) distributed with this work for additional +# information regarding copyright ownership. +# +# This program and the accompanying materials are made available under the +# terms of the Eclipse Public License 2.0 which is available at +# http://www.eclipse.org/legal/epl-2.0 +# +# SPDX-License-Identifier: EPL-2.0 +{{- if .Values.ingress.enabled -}} +{{- $releaseName := .Release.Name -}} +{{- $name := include "ditto.name" . -}} +{{- $labels := include "ditto.labels" . -}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ $releaseName }}-nginx-ingress-htpasswd + labels: + app.kubernetes.io/name: {{ $name }}-nginx-ingress-config +{{ $labels | indent 4 }} +type: Opaque +stringData: + auth: |- +{{- if .Values.global.hashedBasicAuthUsers }} +{{ range .Values.global.hashedBasicAuthUsers }} +{{- . | indent 4 }} +{{ end }} +{{- else }} +{{ range $key, $value := .Values.global.basicAuthUsers }} +{{- (htpasswd $value.user $value.password) | indent 4 }} +{{ end }} +{{ end }} +--- +{{- end }} diff --git a/deployment/helm/ditto/templates/nginx-ingress.yaml b/deployment/helm/ditto/templates/nginx-ingress.yaml index 75c2f5abd6..8c05ee6721 100644 --- a/deployment/helm/ditto/templates/nginx-ingress.yaml +++ b/deployment/helm/ditto/templates/nginx-ingress.yaml @@ -134,6 +134,8 @@ data: proxy_set_header X-Original-URI $request_uri; # set ditto-specific forwarded headers + proxy_set_header X-Forwarded-User $remote_user; + proxy_set_header x-ditto-pre-authenticated "nginx:$remote_user"; proxy-connect-timeout: "10" # seconds, default: 60 # timeouts are configured slightly higher than gateway read-timeout of 60 seconds @@ -558,6 +560,7 @@ spec: annotations: prometheus.io/port: "10254" prometheus.io/scrape: "true" + checksum/nginx-auth: {{ include (print $.Template.BasePath "/nginx-ingress-auth.yaml") . | sha256sum }} spec: priorityClassName: high-priority serviceAccountName: nginx-ingress-serviceaccount diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml index 2f6649605e..af1cc7df66 100644 --- a/deployment/helm/ditto/values.yaml +++ b/deployment/helm/ditto/values.yaml @@ -219,6 +219,12 @@ ingress: backendSuffix: gateway # annotations defines k8s annotations to add to the Ingress annotations: + # type of authentication + nginx.ingress.kubernetes.io/auth-type: basic + # name of the secret that contains the user/password definitions + nginx.ingress.kubernetes.io/auth-secret: my-ditto-nginx-ingress-htpasswd + # message to display with an appropriate context why the authentication is required + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required to use HTTP API!' nginx.ingress.kubernetes.io/proxy-connect-timeout: "10" nginx.ingress.kubernetes.io/proxy-send-timeout: "70" nginx.ingress.kubernetes.io/proxy-read-timeout: "70" From 17e8f0728c27475efbf11276a3f20f2b759c9d14 Mon Sep 17 00:00:00 2001 From: Vladica Obojevic Date: Mon, 24 Jul 2023 09:48:31 +0200 Subject: [PATCH 2/3] Bump Chart version Signed-off-by: Vladica Obojevic --- deployment/helm/ditto/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/helm/ditto/Chart.yaml b/deployment/helm/ditto/Chart.yaml index 13af5fb687..c7fab63261 100644 --- a/deployment/helm/ditto/Chart.yaml +++ b/deployment/helm/ditto/Chart.yaml @@ -16,7 +16,7 @@ description: | A digital twin is a virtual, cloud based, representation of his real world counterpart (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc). type: application -version: 3.3.5 # chart version is effectively set by release-job +version: 3.3.6 # chart version is effectively set by release-job appVersion: 3.3.5 keywords: - iot-chart From c031c28af5d4f379dd55bb46fc61a981a87a0a36 Mon Sep 17 00:00:00 2001 From: Vladica Obojevic Date: Wed, 26 Jul 2023 09:41:18 +0200 Subject: [PATCH 3/3] Remove hardcoded release name from the values.yaml file Signed-off-by: Vladica Obojevic --- deployment/helm/ditto/templates/nginx-ingress-api.yaml | 1 + deployment/helm/ditto/values.yaml | 10 ++++------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/deployment/helm/ditto/templates/nginx-ingress-api.yaml b/deployment/helm/ditto/templates/nginx-ingress-api.yaml index d1900b7ab8..4dde89e5be 100644 --- a/deployment/helm/ditto/templates/nginx-ingress-api.yaml +++ b/deployment/helm/ditto/templates/nginx-ingress-api.yaml @@ -22,6 +22,7 @@ metadata: {{- with .Values.ingress.annotations }} {{- toYaml . | nindent 4 }} {{- end }} + {{ tpl .Values.ingress.api.kubernetesAuthAnnotations . | nindent 4}} {{- with .Values.ingress.api.annotations }} {{- toYaml . | nindent 4 }} {{- end }} diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml index af1cc7df66..fb6f628f45 100644 --- a/deployment/helm/ditto/values.yaml +++ b/deployment/helm/ditto/values.yaml @@ -217,14 +217,12 @@ ingress: backendSuffix: gateway - path: /health backendSuffix: gateway + kubernetesAuthAnnotations: | + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: {{ .Release.Name }}-nginx-ingress-htpasswd + nginx.ingress.kubernetes.io/auth-realm: 'Authentication required to use HTTP API!' # annotations defines k8s annotations to add to the Ingress annotations: - # type of authentication - nginx.ingress.kubernetes.io/auth-type: basic - # name of the secret that contains the user/password definitions - nginx.ingress.kubernetes.io/auth-secret: my-ditto-nginx-ingress-htpasswd - # message to display with an appropriate context why the authentication is required - nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required to use HTTP API!' nginx.ingress.kubernetes.io/proxy-connect-timeout: "10" nginx.ingress.kubernetes.io/proxy-send-timeout: "70" nginx.ingress.kubernetes.io/proxy-read-timeout: "70"