Add support to use kubernetes secrets for basicAuthUsers passwords

vvasilevbosch · vvasilevbosch · commit 8395a3d4b9c1 · 2024-03-11T11:41:35.000+02:00
Signed-off-by: Vasil Vasilev &lt;vasil.vasilev@bosch.com&gt;
diff --git a/deployment/helm/ditto/templates/nginx-auth.yaml b/deployment/helm/ditto/templates/nginx-auth.yaml
@@ -24,13 +24,21 @@ type: Opaque
 stringData:
   nginx.htpasswd: |-
 {{- if .Values.global.hashedBasicAuthUsers }}
-{{ range .Values.global.hashedBasicAuthUsers }}
-{{- . | indent 4 }}
-{{ end }}
+  {{ range .Values.global.hashedBasicAuthUsers }}
+    {{- . | indent 4 }}
+  {{ end }}
 {{- else }}
-{{ range $key, $value := .Values.global.basicAuthUsers }}
-{{- (htpasswd $value.user $value.password) | indent 4 }}
-{{ end }}
-{{ end }}
+  {{ range $key, $value := .Values.global.basicAuthUsers }}
+    {{- if $value.secretName }}
+      {{- $secret := lookup "v1" "Secret" $.Release.Namespace $value.secretName }}
+      {{- if $secret }}
+        {{- $passwordBase64 := index $secret.data $value.user}}
+        {{- htpasswd $value.user ($passwordBase64 | b64dec) | indent 4 }}
+      {{- end }}
+    {{- else }}
+      {{- (htpasswd $value.user $value.password) | indent 4 }}
+    {{- end }}
+  {{ end }}
+{{- end }}
 ---
 {{- end }}
diff --git a/deployment/helm/ditto/values.yaml b/deployment/helm/ditto/values.yaml
@@ -69,11 +69,15 @@ global:
     # maxAuthSubjectsCount the maximum possible number of authorization subjects in Ditto headers, default: 100
     maxAuthSubjectsCount: 100
   # basicAuthUsers configures several user/password combinations which the nginx of the Ditto chart will authenticate
+  # secretName - name of kubernetes secret, containing password for user(s). secret.data must contain ${user}: passwordBase64
+  # if provided, password from secret will be used. Single kubernetes secret can be used for all users, by adding row for each user.
   basicAuthUsers:
   # - user: ditto
   #   password: ditto
+  #   secretName: ditto
   # - user: jane
   #   password: janesPw
+  #   secretName: jane
   # hashedBasicAuthUsers configures a list of hashed .htpasswd username/password entries
   hashedBasicAuthUsers: []
   # jwtOnly controls whether only OpenID-Connect authentication is supported
@@ -172,9 +176,6 @@ global:
   podDeletionCostPatching:
     # enabled whether the pod-deletion-cost annotation patching should be enabled
     enabled: true
-    # annotations defines k8s annotations to add to corresponding jobs
-    annotations: {}
-
 
 ## ----------------------------------------------------------------------------
 ## dbconfig for mongodb connections
