K3S/addons/ingress-proxypass/role/chart/templates/secret-auth.yaml

{{/*
Creates a basic-auth Secret for each proxy that has:
  auth.enabled: true
  auth.credentials: "<htpasswd string>"   (and no auth.secretName — use existing instead)

The Secret key MUST be "auth" for nginx's auth-file type (default).
Reference: nginx.ingress.kubernetes.io/auth-secret-type: auth-file

Generate credentials with:
  htpasswd -nb admin 'mypassword'
  # outputs: admin:$apr1$...
*/}}
{{- range .Values.proxies }}
{{- $proxy     := . }}
{{- $d         := $.Values.defaults }}
{{- $proxyName := include "ingress-proxypass.resourceName" $proxy.name }}

{{- $proxyAuth   := $proxy.auth | default dict }}
{{- $defAuth     := $d.auth     | default dict }}
{{- $authEnabled := $proxyAuth.enabled     | default $defAuth.enabled     | default false }}
{{- $existingSec := $proxyAuth.secretName  | default $defAuth.secretName  | default "" }}
{{- $credentials := $proxyAuth.credentials | default $defAuth.credentials | default "" }}

{{/* Only create a Secret when auth is on, no existing secret is referenced, and credentials are provided */}}
{{- if and $authEnabled (not $existingSec) $credentials }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ $proxyName }}-auth
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "ingress-proxypass.labels" $ | nindent 4 }}
    app.kubernetes.io/component: {{ $proxyName }}
type: Opaque
data:
  # nginx auth-file expects the key to be named "auth"
  auth: {{ $credentials | b64enc | quote }}
{{- end }}
{{- end }}