Address comments. Move auth and healthcheck inside nginx package

controllers/nginx/.gitignore

@@ -0,0 +1 @@
+nginx-ingress-controller

controllers/nginx/controller.go

@@ -40,8 +40,9 @@ import (
 	"k8s.io/kubernetes/pkg/util/intstr"
 	"k8s.io/kubernetes/pkg/watch"
 
-	"k8s.io/contrib/ingress/controllers/nginx/healthcheck"
 	"k8s.io/contrib/ingress/controllers/nginx/nginx"
+	"k8s.io/contrib/ingress/controllers/nginx/nginx/auth"
+	"k8s.io/contrib/ingress/controllers/nginx/nginx/healthcheck"
 	"k8s.io/contrib/ingress/controllers/nginx/nginx/ratelimit"
 	"k8s.io/contrib/ingress/controllers/nginx/nginx/rewrite"
 )
@@ -584,6 +585,12 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg nginx.NginxConfigur
 				continue
 			}
 
+			nginxAuth, err := auth.ParseAnnotations(lbc.client, ing, auth.DefAuthDirectory)
+			glog.V(3).Infof("nginx auth %v", nginxAuth)
+			if err != nil {
+				glog.V(3).Infof("error reading authentication in Ingress %v/%v: %v", ing.GetNamespace(), ing.GetName(), err)
+			}
+
 			rl, err := ratelimit.ParseAnnotations(ing)
 			glog.V(3).Infof("nginx rate limit %v", rl)
 			if err != nil {
@@ -617,12 +624,14 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg nginx.NginxConfigur
 				for _, loc := range server.Locations {
 					if loc.Path == rootLocation && nginxPath == rootLocation && loc.IsDefBackend {
 						loc.Upstream = *ups
+						loc.Auth = *nginxAuth
+						loc.RateLimit = *rl
+
 						locRew, err := rewrite.ParseAnnotations(ing)
 						if err != nil {
 							glog.V(3).Infof("error parsing rewrite annotations for Ingress rule %v/%v: %v", ing.GetNamespace(), ing.GetName(), err)
 						}
 						loc.Redirect = *locRew
-						loc.RateLimit = *rl
 
 						addLoc = false
 						continue
@@ -645,8 +654,9 @@ func (lbc *loadBalancerController) getUpstreamServers(ngxCfg nginx.NginxConfigur
 					server.Locations = append(server.Locations, &nginx.Location{
 						Path:      nginxPath,
 						Upstream:  *ups,
-						Redirect:  *locRew,
+						Auth:      *nginxAuth,
 						RateLimit: *rl,
+						Redirect:  *locRew,
 					})
 				}
 			}

controllers/nginx/nginx.tmpl

@@ -190,6 +190,18 @@ http {
             {{ $limits := buildRateLimit $location }}
             {{- range $limit := $limits }}
             {{ $limit }}{{ end }}
+
+            {{ if $location.Auth.Secured -}}
+            {{ if eq $location.Auth.Type "basic" }}
+            auth_basic "{{ $location.Auth.Realm }}";
+            auth_basic_user_file {{ $location.Auth.File }};
+            {{ else }}
+            #TODO: add nginx-http-auth-digest module
+            auth_digest "{{ $location.Auth.Realm }}";
+            auth_digest_user_file {{ $location.Auth.File }};
+            {{ end }}
+            {{- end }}
+
             proxy_set_header Host                   $host;
 
             # Pass Real IP

controllers/nginx/nginx/auth/main.go

@@ -31,9 +31,9 @@ import (
 )
 
 const (
-	authType   = "ingress-nginx.kubernetes.io/auth-type"
-	authSecret = "ingress-nginx.kubernetes.io/auth-secret"
-	authRealm  = "ingress-nginx.kubernetes.io/auth-realm"
+	authType   = "ingress.kubernetes.io/auth-type"
+	authSecret = "ingress.kubernetes.io/auth-secret"
+	authRealm  = "ingress.kubernetes.io/auth-realm"
 
 	defAuthRealm = "Authentication Required"
 
@@ -61,18 +61,12 @@ var (
 
 	// ErrMissingAuthInSecret is returned when there is no auth key in secret data
 	ErrMissingAuthInSecret = errors.New("the secret does not contains the auth key")
+
+	// ErrMissingAnnotations is returned when the ingress rule
+	// does not contains annotations related with authentication
+	ErrMissingAnnotations = errors.New("missing authentication annotations")
 )
 
-// ErrMissingAnnotations is returned when the ingress rule
-// does not contains annotations related with authentication
-type ErrMissingAnnotations struct {
-	msg string
-}
-
-func (e ErrMissingAnnotations) Error() string {
-	return e.msg
-}
-
 // Nginx returns authentication configuration for an Ingress rule
 type Nginx struct {
 	Type    string
@@ -121,7 +115,7 @@ func (a ingAnnotations) secretName() (string, error) {
 // during the authentication process
 func ParseAnnotations(kubeClient client.Interface, ing *extensions.Ingress, authDir string) (*Nginx, error) {
 	if ing.GetAnnotations() == nil {
-		return &Nginx{}, ErrMissingAnnotations{"missing authentication annotations"}
+		return &Nginx{}, ErrMissingAnnotations
 	}
 
 	at, err := ingAnnotations(ing.GetAnnotations()).authType()

controllers/nginx/nginx/healthcheck/main.go

@@ -26,8 +26,8 @@ import (
 )
 
 const (
-	upsMaxFails    = "ingress-nginx.kubernetes.io/upstream-max-fails"
-	upsFailTimeout = "ingress-nginx.kubernetes.io/upstream-fail-timeout"
+	upsMaxFails    = "ingress.kubernetes.io/upstream-max-fails"
+	upsFailTimeout = "ingress.kubernetes.io/upstream-fail-timeout"
 )
 
 var (

controllers/nginx/nginx/nginx.go

@@ -17,6 +17,7 @@ limitations under the License.
 package nginx
 
 import (
+	"k8s.io/contrib/ingress/controllers/nginx/nginx/auth"
 	"k8s.io/contrib/ingress/controllers/nginx/nginx/ratelimit"
 	"k8s.io/contrib/ingress/controllers/nginx/nginx/rewrite"
 )
@@ -93,8 +94,9 @@ type Location struct {
 	Path         string
 	IsDefBackend bool
 	Upstream     Upstream
-	Redirect     rewrite.Redirect
+	Auth         auth.Nginx
 	RateLimit    ratelimit.RateLimit
+	Redirect     rewrite.Redirect
 }
 
 // LocationByPath sorts location by path