https://pulumi.com logo
#general
Title
# general
c

careful-france-37922

08/19/2019, 9:36 AM
Hello, I was thrown in the world of Kubernetes, Helm, Google Cloud Engine, and Terraform/Pulumi and so on, so maybe I'm really in the wrong channel now to ask my question, please be nice. 🙂 We have a so called
nginx-ingress
which does basic authentication for one domain. Currently the basic authentication data is done manually via:
htpasswd -c auth <username> && kubectl create secret generic docs-basic-auth --from-file=auth
I want to automate this for the future. The helm chart looks like this:
Copy code
ingress:
  domain: <domain>
  tlsSecretName: <name>-de-tls
  annotations:
    <http://nginx.ingress.kubernetes.io/auth-type|nginx.ingress.kubernetes.io/auth-type>: basic
    # # The name of the secret which contains the HTTP basic auth configuration
    # # See: <https://github.com/kubernetes/ingress-nginx/blob/6d2400ee0fcd29390db24091edef07ccee73c881/docs/examples/auth/basic/README.md>
    <http://nginx.ingress.kubernetes.io/auth-secret|nginx.ingress.kubernetes.io/auth-secret>: docs-basic-auth
    <http://nginx.ingress.kubernetes.io/auth-realm|nginx.ingress.kubernetes.io/auth-realm>: "Name"
deployment:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
I have a file which contains this code where, at least I think, I need to start:
Copy code
import * as k8s from "@pulumi/kubernetes";
import * as affinities from "../../../affinities";

interface ICreateNginxIngressOpts {
  isPrivateNetworkIngress: boolean;
  tls: { defaultTlsSecretName: string };
  context: {
    provider: k8s.Provider;
  };
}

const createNginxIngress = ({
  isPrivateNetworkIngress,
  tls,
  context: { provider }
}: ICreateNginxIngressOpts) => {
  let annotations: any = {};

  if (isPrivateNetworkIngress) {
    // Only allow traffic from the external subnet
    annotations["<http://cloud.google.com/load-balancer-type|cloud.google.com/load-balancer-type>"] = "Internal";
  }

  return new k8s.helm.v2.Chart(
    "nginx-ingress",
    {
      repo: "stable",
      chart: "nginx-ingress",
      version: "1.6.0",
      values: {
        defaultBackend: {
          affinity: affinities.defaultPool
        },
        controller: {
          extraArgs: {
            "default-ssl-certificate": tls.defaultTlsSecretName
          },
          publishService: { enabled: true },
          affinity: affinities.defaultPool,
          service: {
            annotations
          }
        }
      }
    },
    { dependsOn: [provider], providers: { k8s: provider } }
  );
};

export { createNginxIngress };
Any hints where I have to look at? Basically: I want to automate this steps: https://github.com/kubernetes/ingress-nginx/blob/6d2400ee0fcd29390db24091edef07ccee73c881/docs/examples/auth/basic/README.md
b

best-xylophone-83824

08/19/2019, 9:40 AM
regardless of the solution there is also a school of thought that Ingress should be as generic as possible and any app-specific configuration is anti-pattern
c

careful-france-37922

08/19/2019, 9:44 AM
And where do I do the app-specific configuration then?
b

best-xylophone-83824

08/19/2019, 9:45 AM
on app level. if app needs to authenticate incoming requests, it is it's responsibility to do that, maybe with the sidecar nginx, but still on the app pod
c

careful-france-37922

08/19/2019, 9:46 AM
Sounds complicated, I'll have a look at this sidecar thingy