nginx · pdabelf5 · Jan 31, 2025
@@ -90,9 +90,16 @@ spec:
                 description: BasicAuth holds HTTP Basic authentication configuration
                 properties:
                   realm:
+                    description: The realm for basic authentication
+                    pattern: ^([^"$\\]|\\[^$])*$
                     type: string
                   secret:
+                    description: The name of the Kubernetes secret that stores the
+                      Htpasswd configuration
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                     type: string
+                required:
+                - secret
                 type: object
               egressMTLS:
                 description: EgressMTLS defines an Egress MTLS policy.

@@ -252,9 +252,16 @@ spec:
                 description: BasicAuth holds HTTP Basic authentication configuration
                 properties:
                   realm:
+                    description: The realm for basic authentication
+                    pattern: ^([^"$\\]|\\[^$])*$
                     type: string
                   secret:
+                    description: The name of the Kubernetes secret that stores the
+                      Htpasswd configuration
+                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                     type: string
+                required:
+                - secret
                 type: object
               egressMTLS:
                 description: EgressMTLS defines an Egress MTLS policy.

@@ -623,7 +623,13 @@ type JWTAuth struct {
 
 // BasicAuth holds HTTP Basic authentication configuration
 type BasicAuth struct {
-	Realm  string `json:"realm"`
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Pattern=`^([^"$\\]|\\[^$])*$`
+	// The realm for basic authentication
+	Realm string `json:"realm,omitempty"`
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$`
+	// The name of the Kubernetes secret that stores the Htpasswd configuration
 	Secret string `json:"secret"`
 }
 

@@ -45,7 +45,6 @@ func validatePolicySpec(spec *v1.PolicySpec, fieldPath *field.Path, isPlus, enab
 	}
 
 	if spec.BasicAuth != nil {
-		allErrs = append(allErrs, validateBasic(spec.BasicAuth, fieldPath.Child("basicAuth"))...)
 		fieldCount++
 	}
 
@@ -206,18 +205,6 @@ func validateJWT(jwt *v1.JWTAuth, fieldPath *field.Path) field.ErrorList {
 	return allErrs
 }
 
-func validateBasic(basic *v1.BasicAuth, fieldPath *field.Path) field.ErrorList {
-	if basic.Secret == "" {
-		return field.ErrorList{field.Required(fieldPath.Child("secret"), "")}
-	}
-
-	allErrs := field.ErrorList{}
-	if basic.Realm != "" {
-		allErrs = append(allErrs, validateRealm(basic.Realm, fieldPath.Child("realm"))...)
-	}
-	return append(allErrs, validateSecretName(basic.Secret, fieldPath.Child("secret"))...)
-}
-
 func validateIngressMTLS(ingressMTLS *v1.IngressMTLS, fieldPath *field.Path) field.ErrorList {
 	if ingressMTLS.ClientCertSecret == "" {
 		return field.ErrorList{field.Required(fieldPath.Child("clientCertSecret"), "")}

@@ -1982,24 +1982,6 @@ func TestValidateWAF_FailsOnInvalidApPolicy(t *testing.T) {
 	}
 }
 
-func TestValidateBasic_PassesOnNotEmptySecret(t *testing.T) {
-	t.Parallel()
-
-	errList := validateBasic(&v1.BasicAuth{Realm: "", Secret: "secret"}, field.NewPath("secret"))
-	if len(errList) != 0 {
-		t.Errorf("want no errors, got %v", errList)
-	}
-}
-
-func TestValidateBasic_FailsOnMissingSecret(t *testing.T) {
-	t.Parallel()
-
-	errList := validateBasic(&v1.BasicAuth{Realm: "realm", Secret: ""}, field.NewPath("secret"))
-	if len(errList) == 0 {
-		t.Error("want error on invalid input")
-	}
-}
-
 func TestValidateWAF_FailsOnPresentBothApLogBundleAndApLogConf(t *testing.T) {
 	t.Parallel()