support auth-secret-type

Signed-off-by: omar <omar.hammami@solo.io>

Author: puertomontt

pkg/i2gw/implementations/kgateway/README.md

@@ -84,6 +84,7 @@ The command should generate Gateway API and Kgateway resources.
 
 - `nginx.ingress.kubernetes.io/auth-type`: Must be set to `"basic"` to enable basic authentication. Maps to `TrafficPolicy.spec.basicAuth`.
 - `nginx.ingress.kubernetes.io/auth-secret`: Specifies the secret containing basic auth credentials in `namespace/name` format (or just `name` if in the same namespace). Maps to `TrafficPolicy.spec.basicAuth.secretRef.name`.
+- `nginx.ingress.kubernetes.io/auth-secret-type`: Specifies the format of the secret. Values: `"auth-file"` (default) or `"auth-map"`. For `"auth-file"`, the secret contains an htpasswd file in the key `"auth"`. For `"auth-map"`, the keys of the secret are usernames and values are hashed passwords. When set to `"auth-file"` (or default), maps to `TrafficPolicy.spec.basicAuth.secretRef.key` set to `"auth"`.
 
 ### Backend TLS
 

pkg/i2gw/implementations/kgateway/emitter.go

@@ -776,6 +776,7 @@ func applyAccessLogPolicy(
 //
 // Semantics:
 //   - If BasicAuth is configured, set spec.basicAuth.secretRef.name in TrafficPolicy.
+//   - If AuthType is "auth-file" (default), also set spec.basicAuth.secretRef.key to "auth".
 func applyBasicAuthPolicy(
 	pol intermediate.Policy,
 	ingressName, namespace string,
@@ -786,10 +787,15 @@ func applyBasicAuthPolicy(
 	}
 
 	t := ensureTrafficPolicy(tp, ingressName, namespace)
+	secretRef := &kgateway.SecretReference{
+		Name: gwv1.ObjectName(pol.BasicAuth.SecretName),
+	}
+	// Set Key field to "auth" when AuthType is "auth-file" (default format)
+	if pol.BasicAuth.AuthType == "auth-file" {
+		secretRef.Key = ptr.To("auth")
+	}
 	t.Spec.BasicAuth = &kgateway.BasicAuthPolicy{
-		SecretRef: &kgateway.SecretReference{
-			Name: gwv1.ObjectName(pol.BasicAuth.SecretName),
-		},
+		SecretRef: secretRef,
 	}
 	return true
 }

pkg/i2gw/implementations/kgateway/emitter_integration_test.go

@@ -242,6 +242,15 @@ func TestKgatewayIngressNginxIntegration_Golden(t *testing.T) {
 				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "service_upstream.yaml",
 			),
 		},
+		{
+			name: "basic_auth",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "basic_auth.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "basic_auth.yaml",
+			),
+		},
 	}
 
 	for _, tt := range tests {

pkg/i2gw/implementations/kgateway/testing/testdata/input/basic_auth.yaml

@@ -0,0 +1,47 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: "default/basic-auth-secret"
+  name: ingress-basic-auth-file-default
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: app1.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: app1
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: "default/basic-auth-secret"
+    nginx.ingress.kubernetes.io/auth-secret-type: "auth-file"
+  name: ingress-basic-auth-file-explicit
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: app2.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: app2
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---

pkg/i2gw/implementations/kgateway/testing/testdata/output/basic_auth.yaml

@@ -0,0 +1,99 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: nginx
+  namespace: default
+spec:
+  gatewayClassName: kgateway
+  listeners:
+  - hostname: app1.example.org
+    name: app1-example-org-http
+    port: 80
+    protocol: HTTP
+  - hostname: app2.example.org
+    name: app2-example-org-http
+    port: 80
+    protocol: HTTP
+status: {}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-basic-auth-file-default-app1-example-org
+  namespace: default
+spec:
+  hostnames:
+  - app1.example.org
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: app1
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-basic-auth-file-explicit-app2-example-org
+  namespace: default
+spec:
+  hostnames:
+  - app2.example.org
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: app2
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: TrafficPolicy
+metadata:
+  name: ingress-basic-auth-file-default
+  namespace: default
+spec:
+  basicAuth:
+    secretRef:
+      key: auth
+      name: basic-auth-secret
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: ingress-basic-auth-file-default-app1-example-org
+status:
+  ancestors: null
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: TrafficPolicy
+metadata:
+  name: ingress-basic-auth-file-explicit
+  namespace: default
+spec:
+  basicAuth:
+    secretRef:
+      key: auth
+      name: basic-auth-secret
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: ingress-basic-auth-file-explicit-app2-example-org
+status:
+  ancestors: null

pkg/i2gw/intermediate/provider_ingressnginx.go

@@ -84,6 +84,10 @@ type ExtAuthPolicy struct {
 type BasicAuthPolicy struct {
 	// SecretName defines the name of the secret containing basic auth credentials.
 	SecretName string
+	// AuthType defines the format of the secret: "auth-file" (default) or "auth-map".
+	// For "auth-file", the secret contains an htpasswd file in a specific key.
+	// For "auth-map", the keys of the secret are usernames and values are hashed passwords.
+	AuthType string
 }
 
 // SessionAffinityPolicy defines a session affinity policy that has been extracted from ingress-nginx annotations.

pkg/i2gw/providers/ingressnginx/README.md

@@ -78,6 +78,7 @@ The ingress-nginx provider currently supports translating the following annotati
 
 - `nginx.ingress.kubernetes.io/auth-type`: Must be set to `"basic"` to enable basic authentication. For the Kgateway implementation, this maps to `TrafficPolicy.spec.basicAuth`.
 - `nginx.ingress.kubernetes.io/auth-secret`: Specifies the secret containing basic auth credentials in `namespace/name` format (or just `name` if in the same namespace). For the Kgateway implementation, this maps to `TrafficPolicy.spec.basicAuth.secretRef.name`.
+- `nginx.ingress.kubernetes.io/auth-secret-type`: Specifies the format of the secret. Values: `"auth-file"` (default) or `"auth-map"`. For `"auth-file"`, the secret contains an htpasswd file in the key `"auth"`. For `"auth-map"`, the keys of the secret are usernames and values are hashed passwords. For the Kgateway implementation, when set to `"auth-file"` (or default), this maps to `TrafficPolicy.spec.basicAuth.secretRef.key` set to `"auth"`.
 
 ---
 

pkg/i2gw/providers/ingressnginx/external_auth.go

@@ -32,6 +32,7 @@ const (
 	authResponseHeadersAnnotation = "nginx.ingress.kubernetes.io/auth-response-headers"
 	authTypeAnnotation            = "nginx.ingress.kubernetes.io/auth-type"
 	authSecretAnnotation          = "nginx.ingress.kubernetes.io/auth-secret"
+	authSecretTypeAnnotation      = "nginx.ingress.kubernetes.io/auth-secret-type"
 )
 
 // extAuthFeature extracts the "auth-url" and "auth-response-headers" annotations and
@@ -167,6 +168,7 @@ func basicAuthFeature(
 		ing := &ingresses[i]
 		authTypeRaw := strings.TrimSpace(ing.Annotations[authTypeAnnotation])
 		authSecretRaw := strings.TrimSpace(ing.Annotations[authSecretAnnotation])
+		authSecretTypeRaw := strings.TrimSpace(ing.Annotations[authSecretTypeAnnotation])
 
 		// Only process if auth-type is "basic" and auth-secret is present
 		if authTypeRaw != "basic" || authSecretRaw == "" {
@@ -191,8 +193,17 @@ func basicAuthFeature(
 			}
 		}
 
+		// Determine auth type based on auth-secret-type annotation
+		// auth-file (default): htpasswd file in key "auth"
+		// auth-map: keys are usernames, values are hashed passwords
+		authType := authSecretTypeRaw
+		if authType == "" {
+			authType = "auth-file" // default
+		}
+
 		pol.BasicAuth = &intermediate.BasicAuthPolicy{
 			SecretName: secretName,
+			AuthType:   authType,
 		}
 	}