BasicAuth for frontend (#114)

Author: alik-agaev

charts/blockscout-stack/CHANGELOG.md

@@ -1,5 +1,11 @@
 # ChangeLog
 
+## 4.4.0
+
+### Feature
+
+- Add Basic Authentication support for frontend ingress. Supports two modes: referencing an existing Secret (`existingSecret`) or generating one from username/password in values
+
 ## 4.3.0
 
 ### Feature

charts/blockscout-stack/Chart.yaml

@@ -16,10 +16,10 @@ type: application
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
 
-version: 4.3.1
+version: 4.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "9.3.0"
+appVersion: "9.3.5"

charts/blockscout-stack/templates/frontend-basic-auth-secret.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.frontend.enabled .Values.frontend.ingress.enabled .Values.frontend.ingress.basicAuth.enabled (not .Values.frontend.ingress.basicAuth.existingSecret) }}
+{{- $username := required "frontend.ingress.basicAuth.username is required when generating a basic auth secret" .Values.frontend.ingress.basicAuth.username }}
+{{- $password := required "frontend.ingress.basicAuth.password is required when generating a basic auth secret" .Values.frontend.ingress.basicAuth.password }}
+{{- $secretName := default (printf "%s-frontend-basic-auth" (include "blockscout-stack.fullname" .)) .Values.frontend.ingress.basicAuth.secretName }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "blockscout-stack.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if and $existingSecret $existingSecret.data (index $existingSecret.data "auth") }}
+  auth: {{ index $existingSecret.data "auth" }}
+  {{- else }}
+  auth: {{ htpasswd $username $password | b64enc | quote }}
+  {{- end }}
+{{- end }}

charts/blockscout-stack/templates/frontend-ingress.yaml

@@ -19,9 +19,24 @@ metadata:
   name: {{ $fullName }}-frontend-ingress
   labels:
     {{- include "blockscout-stack.labels" . | nindent 4 }}
+  {{- $annotations := dict }}
   {{- with .Values.frontend.ingress.annotations }}
+  {{- $annotations = merge $annotations . }}
+  {{- end }}
+  {{- if .Values.frontend.ingress.basicAuth.enabled }}
+  {{- $authSecretName := "" }}
+  {{- if .Values.frontend.ingress.basicAuth.existingSecret }}
+  {{- $authSecretName = .Values.frontend.ingress.basicAuth.existingSecret }}
+  {{- else }}
+  {{- $authSecretName = default (printf "%s-frontend-basic-auth" (include "blockscout-stack.fullname" .)) .Values.frontend.ingress.basicAuth.secretName }}
+  {{- end }}
+  {{- $_ := set $annotations "nginx.ingress.kubernetes.io/auth-type" "basic" }}
+  {{- $_ := set $annotations "nginx.ingress.kubernetes.io/auth-secret" $authSecretName }}
+  {{- $_ := set $annotations "nginx.ingress.kubernetes.io/auth-realm" (.Values.frontend.ingress.basicAuth.realm | default "Authentication Required") }}
+  {{- end }}
+  {{- if $annotations }}
   annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- toYaml $annotations | nindent 4 }}
   {{- end }}
 spec:
   {{- if and .Values.frontend.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}

charts/blockscout-stack/values.yaml

@@ -274,6 +274,25 @@ frontend:
     paths:
       - path: /
 
+    ## Basic authentication for frontend ingress (nginx ingress controller)
+    ## ref: https://kubernetes.github.io/ingress-nginx/examples/auth/basic/
+    ##
+    basicAuth:
+      enabled: false
+      ## Use an existing Secret containing key "auth" with htpasswd-formatted credentials.
+      ## Recommended for production / GitOps workflows.
+      existingSecret: ""
+      ## Override the generated Secret name (only used when existingSecret is empty).
+      ## Default: "<release>-frontend-basic-auth"
+      secretName: ""
+      ## Credentials for chart-generated Secret (only when existingSecret is empty).
+      ## WARNING: storing passwords in values.yaml exposes them to Git history and CI logs.
+      ## Use existingSecret or external secret management for production.
+      username: ""
+      password: ""
+    ## Authentication realm shown in the browser prompt
+      realm: "Authentication Required"
+
   resources:
     limits:
       memory: "1Gi"