Skip to content

Support loading Basic Auth credentials from Kubernetes Secrets #627

New issue
New issue
Open
Task
#628
Open
Support loading Basic Auth credentials from Kubernetes Secrets#627
Task
#628
Assignees
Tharsanan1
Labels
Type/Improvement
@Tharsanan1

Description

@Tharsanan1
Tharsanan1
opened on Jan 5, 2026

Current Limitation

Currently, the Gateway Operator only allows configuring Basic Authentication users via the values.yaml inside a ConfigMap. This requires embedding sensitive credentials (passwords or hashes) directly into the ConfigMap manifests or Helm values.

Storing credentials in ConfigMaps is not a security best practice as they are not encrypted at rest by default and are often checked into version control systems in plain text.

Suggested Improvement

Introduce a mechanism to load Basic Authentication users from a standard Kubernetes
Secret

###Proposed Design:

  1. Update the Gateway CRD to include an optional authSecretRef field.
  2. The Operator should look for a users.yaml key within the referenced Secret.
  3. This Secret-based configuration should take precedence over the existing ConfigMap configuration if both are present.

Example Secret:

apiVersion: v1
kind: Secret
type: Opaque
stringData:
  users.yaml: |
    - username: "admin"
      password: "secure-password"
      roles: ["admin"]

Example Gateway CR:

spec:
  authSecretRef:
    name: my-auth-secret

This ensures sensitive data is handled securely using native Kubernetes primitives.

Version

No response

Metadata

Metadata

Assignees

Labels

Type/Improvement

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions