Merge pull request #17 from puertomontt/tls

support auth-secret-type

Author: danehans

pkg/i2gw/implementations/kgateway/README.md

@@ -84,6 +84,7 @@ The command should generate Gateway API and Kgateway resources.
 
 - `nginx.ingress.kubernetes.io/auth-type`: Must be set to `"basic"` to enable basic authentication. Maps to `TrafficPolicy.spec.basicAuth`.
 - `nginx.ingress.kubernetes.io/auth-secret`: Specifies the secret containing basic auth credentials in `namespace/name` format (or just `name` if in the same namespace). Maps to `TrafficPolicy.spec.basicAuth.secretRef.name`.
+- `nginx.ingress.kubernetes.io/auth-secret-type`: Specifies the format of the secret. Values: `"auth-file"` (default) or `"auth-map"`. For `"auth-file"`, the secret contains an htpasswd file in the key `"auth"`. For `"auth-map"`, the keys of the secret are usernames and values are hashed passwords. When set to `"auth-file"` (or default), maps to `TrafficPolicy.spec.basicAuth.secretRef.key` set to `"auth"`.
 
 ### Backend TLS
 

pkg/i2gw/implementations/kgateway/emitter.go

@@ -776,6 +776,7 @@ func applyAccessLogPolicy(
 //
 // Semantics:
 //   - If BasicAuth is configured, set spec.basicAuth.secretRef.name in TrafficPolicy.
+//   - If AuthType is "auth-file" (default), also set spec.basicAuth.secretRef.key to "auth".
 func applyBasicAuthPolicy(
 	pol intermediate.Policy,
 	ingressName, namespace string,
@@ -786,10 +787,15 @@ func applyBasicAuthPolicy(
 	}
 
 	t := ensureTrafficPolicy(tp, ingressName, namespace)
+	secretRef := &kgateway.SecretReference{
+		Name: gwv1.ObjectName(pol.BasicAuth.SecretName),
+	}
+	// Set Key field to "auth" when AuthType is "auth-file" (default format)
+	if pol.BasicAuth.AuthType == "auth-file" {
+		secretRef.Key = ptr.To("auth")
+	}
 	t.Spec.BasicAuth = &kgateway.BasicAuthPolicy{
-		SecretRef: &kgateway.SecretReference{
-			Name: gwv1.ObjectName(pol.BasicAuth.SecretName),
-		},
+		SecretRef: secretRef,
 	}
 	return true
 }

pkg/i2gw/implementations/kgateway/emitter_integration_test.go

@@ -242,6 +242,15 @@ func TestKgatewayIngressNginxIntegration_Golden(t *testing.T) {
 				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "service_upstream.yaml",
 			),
 		},
+		{
+			name: "basic_auth",
+			inputRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "input", "basic_auth.yaml",
+			),
+			goldenRel: filepath.Join(
+				"pkg", "i2gw", "implementations", "kgateway", "testing", "testdata", "output", "basic_auth.yaml",
+			),
+		},
 	}
 
 	for _, tt := range tests {

pkg/i2gw/implementations/kgateway/testing/testdata/input/basic_auth.yaml

@@ -0,0 +1,71 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: "default/basic-auth-secret"
+  name: ingress-basic-auth-file-default
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: app1.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: app1
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: "default/basic-auth-secret"
+    nginx.ingress.kubernetes.io/auth-secret-type: "auth-file"
+  name: ingress-basic-auth-file-explicit
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: app2.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: app2
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    ingress2gateway.kubernetes.io/implementation: kgateway
+    nginx.ingress.kubernetes.io/auth-type: "basic"
+    nginx.ingress.kubernetes.io/auth-secret: "auth-map-secret"
+    nginx.ingress.kubernetes.io/auth-secret-type: "auth-map"
+  name: ingress-basic-auth-map
+  namespace: default
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: app3.example.org
+    http:
+      paths:
+      - backend:
+          service:
+            name: app3
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+

pkg/i2gw/implementations/kgateway/testing/testdata/input/golden.yaml

@@ -63,8 +63,6 @@ metadata:
     nginx.ingress.kubernetes.io/proxy-send-timeout: "90s"
     nginx.ingress.kubernetes.io/proxy-read-timeout: "90s"
     nginx.ingress.kubernetes.io/proxy-connect-timeout: "120"
-    nginx.ingress.kubernetes.io/auth-type: "basic"
-    nginx.ingress.kubernetes.io/auth-secret: "default/basic-auth-secret"
   name: ingress-myserviceb
   namespace: default
 spec:

pkg/i2gw/implementations/kgateway/testing/testdata/output/basic_auth.yaml

@@ -0,0 +1,142 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: nginx
+  namespace: default
+spec:
+  gatewayClassName: kgateway
+  listeners:
+  - hostname: app1.example.org
+    name: app1-example-org-http
+    port: 80
+    protocol: HTTP
+  - hostname: app2.example.org
+    name: app2-example-org-http
+    port: 80
+    protocol: HTTP
+  - hostname: app3.example.org
+    name: app3-example-org-http
+    port: 80
+    protocol: HTTP
+status: {}
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-basic-auth-file-default-app1-example-org
+  namespace: default
+spec:
+  hostnames:
+  - app1.example.org
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: app1
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-basic-auth-file-explicit-app2-example-org
+  namespace: default
+spec:
+  hostnames:
+  - app2.example.org
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: app2
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  annotations:
+    gateway.networking.k8s.io/generator: ingress2gateway-dev
+  name: ingress-basic-auth-map-app3-example-org
+  namespace: default
+spec:
+  hostnames:
+  - app3.example.org
+  parentRefs:
+  - name: nginx
+  rules:
+  - backendRefs:
+    - name: app3
+      port: 80
+    matches:
+    - path:
+        type: PathPrefix
+        value: /
+status:
+  parents: []
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: TrafficPolicy
+metadata:
+  name: ingress-basic-auth-file-default
+  namespace: default
+spec:
+  basicAuth:
+    secretRef:
+      key: auth
+      name: basic-auth-secret
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: ingress-basic-auth-file-default-app1-example-org
+status:
+  ancestors: null
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: TrafficPolicy
+metadata:
+  name: ingress-basic-auth-file-explicit
+  namespace: default
+spec:
+  basicAuth:
+    secretRef:
+      key: auth
+      name: basic-auth-secret
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: ingress-basic-auth-file-explicit-app2-example-org
+status:
+  ancestors: null
+---
+apiVersion: gateway.kgateway.dev/v1alpha1
+kind: TrafficPolicy
+metadata:
+  name: ingress-basic-auth-map
+  namespace: default
+spec:
+  basicAuth:
+    secretRef:
+      name: auth-map-secret
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: ingress-basic-auth-map-app3-example-org
+status:
+  ancestors: null