Hello, I was thrown in the world of Kubernetes, Helm, Google Cloud Engine, and Terraform/Pulumi and so on, so maybe I'm really in the wrong channel now to ask my question, please be nice. 🙂 We have a so called

nginx-ingress

which does basic authentication for one domain. Currently the basic authentication data is done manually via:

htpasswd -c auth <username> && kubectl create secret generic docs-basic-auth --from-file=auth

I want to automate this for the future. The helm chart looks like this:

ingress:
  domain: <domain>
  tlsSecretName: <name>-de-tls
  annotations:
    <http://nginx.ingress.kubernetes.io/auth-type|nginx.ingress.kubernetes.io/auth-type>: basic
    # # The name of the secret which contains the HTTP basic auth configuration
    # # See: <https://github.com/kubernetes/ingress-nginx/blob/6d2400ee0fcd29390db24091edef07ccee73c881/docs/examples/auth/basic/README.md>
    <http://nginx.ingress.kubernetes.io/auth-secret|nginx.ingress.kubernetes.io/auth-secret>: docs-basic-auth
    <http://nginx.ingress.kubernetes.io/auth-realm|nginx.ingress.kubernetes.io/auth-realm>: "Name"
deployment:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0

I have a file which contains this code where, at least I think, I need to start:

import * as k8s from "@pulumi/kubernetes";
import * as affinities from "../../../affinities";

interface ICreateNginxIngressOpts {
  isPrivateNetworkIngress: boolean;
  tls: { defaultTlsSecretName: string };
  context: {
    provider: k8s.Provider;
  };
}

const createNginxIngress = ({
  isPrivateNetworkIngress,
  tls,
  context: { provider }
}: ICreateNginxIngressOpts) => {
  let annotations: any = {};

  if (isPrivateNetworkIngress) {
    // Only allow traffic from the external subnet
    annotations["<http://cloud.google.com/load-balancer-type|cloud.google.com/load-balancer-type>"] = "Internal";
  }

  return new k8s.helm.v2.Chart(
    "nginx-ingress",
    {
      repo: "stable",
      chart: "nginx-ingress",
      version: "1.6.0",
      values: {
        defaultBackend: {
          affinity: affinities.defaultPool
        },
        controller: {
          extraArgs: {
            "default-ssl-certificate": tls.defaultTlsSecretName
          },
          publishService: { enabled: true },
          affinity: affinities.defaultPool,
          service: {
            annotations
          }
        }
      }
    },
    { dependsOn: [provider], providers: { k8s: provider } }
  );
};

export { createNginxIngress };

Any hints where I have to look at? Basically: I want to automate this steps: https://github.com/kubernetes/ingress-nginx/blob/6d2400ee0fcd29390db24091edef07ccee73c881/docs/examples/auth/basic/README.md

regardless of the solution there is also a school of thought that Ingress should be as generic as possible and any app-specific configuration is anti-pattern

And where do I do the app-specific configuration then?

on app level. if app needs to authenticate incoming requests, it is it's responsibility to do that, maybe with the sidecar nginx, but still on the app pod

Sounds complicated, I'll have a look at this sidecar thingy