Skip to content

HTTP Basic Authentication: allow secret compatible with the Kubernetes Ingress Controller #3585

New issue
New issue
Open
Open
HTTP Basic Authentication: allow secret compatible with the Kubernetes Ingress Controller#3585
Assignees
shaun-nx
Labels
backlog candidatePull requests/issues that are candidates to be backlog itemsproposalAn issue that proposes a feature request
@hostalp

Description

@hostalp
hostalp
opened on Feb 23, 2023

Is your feature request related to a problem? Please describe.
The other, but frequently used Kubernetes Ingress Controller (also Nginx based) supports HTTP Basic Authentication with the authenticaiton data stored in slightly different Secret resource which makes things more complicated when one needs to take both ingress controllers into the account (for compatibility purposes on different environments).

Would it be possible to change the Secret resource requirements in this ingress controller so that it would be possible to use the same secret for ingress controllers?

Describe the solution you'd like
Their secret looks like the following example: https://kubernetes.github.io/ingress-nginx/examples/auth/basic/#examine-secret

apiVersion: v1
data:
  auth: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
  name: basic-auth
  namespace: default
type: Opaque

With the 2 most important differences being:

  • type: Opaque (this ingress controller requires type: nginx.org/htpasswd, the other one maybe doesn't have any such requirement at all and would work with virtually any type)
  • auth data being located in data.auth (this ingress controller requires them in data.htpasswd)
    E.g. this ingress controller requires the secret such as:
apiVersion: v1
data:
  htpasswd: Zm9vOiRhcHIxJE9GRzNYeWJwJGNrTDBGSERBa29YWUlsSDkuY3lzVDAK
kind: Secret
metadata:
  name: basic-auth
  namespace: default
type: nginx.org/htpasswd

We'd like to be able to use the 1st shown form with this ingress controller as well. It could be either an alternative secret form, or the only possibility (that would break the backwards compatibility though, however the HTTP Basic Authentication is still quite a new addition so it isn't likely widely used anyway).

Describe alternatives you've considered
Currently:

  • For compatibility with both ingress controllers, we duplicate the auth data as data.auth and data.htpasswd
  • But we still we have to recreate the secret everywhere we use either one or the other controller. (The field type is immutable). This is quite cumbersome as we can't create such secret independently on the actual ingress controller.

Additional context
#2269 #200 #1872

Metadata

Metadata

Assignees

Labels

backlog candidatePull requests/issues that are candidates to be backlog itemsproposalAn issue that proposes a feature request

Type

No type

Projects

NGINX Ingress Controller

Status

Todo ☑

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions