kubernetes-ingress icon indicating copy to clipboard operation
kubernetes-ingress copied to clipboard

Published 20 hours ago verified publisher icon nginxinc

HTTP Basic Authentication: allow secret compatible with the Kubernetes Ingress Controller

Open hostalp opened this issue 2 years ago • 2 comments

Is your feature request related to a problem? Please describe. The other, but frequently used Kubernetes Ingress Controller (also Nginx based) supports HTTP Basic Authentication with the authenticaiton data stored in slightly different Secret resource which makes things more complicated when one needs to take both ingress controllers into the account (for compatibility purposes on different environments).

Would it be possible to change the Secret resource requirements in this ingress controller so that it would be possible to use the same secret for ingress controllers?

Describe the solution you'd like Their secret looks like the following example: https://kubernetes.github.io/ingress-nginx/examples/auth/basic/#examine-secret

apiVersion: v1
data:
  auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
  name: basic-auth
  namespace: default
type: Opaque

With the 2 most important differences being:

  • type: Opaque (this ingress controller requires type: nginx.org/htpasswd, the other one maybe doesn't have any such requirement at all and would work with virtually any type)
  • auth data being located in data.auth (this ingress controller requires them in data.htpasswd) E.g. this ingress controller requires the secret such as:
apiVersion: v1
data:
  htpasswd: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
  name: basic-auth
  namespace: default
type: nginx.org/htpasswd

We'd like to be able to use the 1st shown form with this ingress controller as well. It could be either an alternative secret form, or the only possibility (that would break the backwards compatibility though, however the HTTP Basic Authentication is still quite a new addition so it isn't likely widely used anyway).

Describe alternatives you've considered Currently:

  • For compatibility with both ingress controllers, we duplicate the auth data as data.auth and data.htpasswd
  • But we still we have to recreate the secret everywhere we use either one or the other controller. (The field type is immutable). This is quite cumbersome as we can't create such secret independently on the actual ingress controller.

Additional context #2269 #200 #1872

hostalp avatar Feb 23 '23 15:02 hostalp

Hi @hostalp thanks for reporting!

Be sure to check out the docs while you wait for a human to take a look at this :slightly_smiling_face:

Cheers!

github-actions[bot] avatar Feb 23 '23 15:02 github-actions[bot]

Hi @hostalp I'll bring this proposal to the attention of the wider team to discuss. I will get back to you asap.

shaun-nx avatar Feb 28 '23 14:02 shaun-nx