nginx · shaun-nx · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025 · Dec 10, 2025
diff --git a/apis/v1alpha1/register.go b/apis/v1alpha1/register.go
@@ -42,6 +42,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&SnippetsFilterList{},
 		&UpstreamSettingsPolicy{},
 		&UpstreamSettingsPolicyList{},
+		&AuthenticationFilter{},
+		&AuthenticationFilterList{},
 	)
 	// AddToGroupVersion allows the serialization of client types like ListOptions.
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)

@@ -129,6 +129,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   {{- if .Values.nginxGateway.snippetsFilters.enable }}
   - snippetsfilters
   {{- end }}
@@ -142,6 +143,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   {{- if .Values.nginxGateway.snippetsFilters.enable }}
   - snippetsfilters/status
   {{- end }}

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -179,6 +180,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -179,6 +180,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -171,6 +171,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -181,6 +182,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -171,6 +171,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -181,6 +182,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -179,6 +180,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -179,6 +180,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -179,6 +180,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -179,6 +180,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   verbs:
   - list
   - watch
@@ -179,6 +180,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   verbs:
   - update
 - apiGroups:

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   - snippetsfilters
   verbs:
   - list
@@ -180,6 +181,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   - snippetsfilters/status
   verbs:
   - update

@@ -169,6 +169,7 @@ rules:
   - clientsettingspolicies
   - observabilitypolicies
   - upstreamsettingspolicies
+  - authenticationfilters
   - snippetsfilters
   verbs:
   - list
@@ -180,6 +181,7 @@ rules:
   - clientsettingspolicies/status
   - observabilitypolicies/status
   - upstreamsettingspolicies/status
+  - authenticationfilters/status
   - snippetsfilters/status
   verbs:
   - update

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: basic-auth1
-type: Opaque
+type: nginx.org/htpasswd
 data:
   # Base64 of "htpasswd -bn user1 password1"
   auth: dXNlcjE6JGFwcjEkWEFKeU5yekgkY0Rjdy9YMVBCZTFmTjltQVBweXpxMA==
@@ -23,7 +23,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: basic-auth2
-type: Opaque
+type: nginx.org/htpasswd
 data:
   # Base64 of "htpasswd -bn user2 password2"
   auth: dXNlcjI6JGFwcjEkd0lKUUpjZEUkSXUuYjVhMlBGODdtQi5zT0x4aUg5MQ==

@@ -383,6 +383,11 @@ func (h *eventHandlerImpl) updateStatuses(ctx context.Context, gr *graph.Graph,
 		transitionTime,
 		h.cfg.gatewayCtlrName,
 	)
+	authenticationFilterReqs := status.PrepareAuthenticationFilterRequests(
+		gr.AuthenticationFilters,
+		transitionTime,
+		h.cfg.gatewayCtlrName,
+	)
 
 	// unfortunately, status is not on clusterState stored by the change processor, so we need to make a k8sAPI call here
 	ipList := &inference.InferencePoolList{}
@@ -418,6 +423,7 @@ func (h *eventHandlerImpl) updateStatuses(ctx context.Context, gr *graph.Graph,
 	reqs = append(reqs, polReqs...)
 	reqs = append(reqs, ngfPolReqs...)
 	reqs = append(reqs, snippetsFilterReqs...)
+	reqs = append(reqs, authenticationFilterReqs...)
 	reqs = append(reqs, inferencePoolReqs...)
 
 	h.cfg.statusUpdater.UpdateGroup(ctx, groupAllExceptGateways, reqs...)

@@ -529,6 +529,12 @@ func registerControllers(
 				controller.WithK8sPredicate(k8spredicate.GenerationChangedPredicate{}),
 			},
 		},
+		{
+			objectType: &ngfAPIv1alpha1.AuthenticationFilter{},
+			options: []controller.Option{
+				controller.WithK8sPredicate(k8spredicate.GenerationChangedPredicate{}),
+			},
+		},
 	}
 
 	if cfg.ExperimentalFeatures {
@@ -770,6 +776,7 @@ func prepareFirstEventBatchPreparerArgs(cfg config.Config) ([]client.Object, []c
 		&ngfAPIv1alpha1.ClientSettingsPolicyList{},
 		&ngfAPIv1alpha2.ObservabilityPolicyList{},
 		&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+		&ngfAPIv1alpha1.AuthenticationFilterList{},
 		partialObjectMetadataList,
 	}
 

@@ -68,6 +68,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha1.ClientSettingsPolicyList{},
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.AuthenticationFilterList{},
 			},
 		},
 		{
@@ -96,6 +97,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha1.ClientSettingsPolicyList{},
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.AuthenticationFilterList{},
 			},
 		},
 		{
@@ -124,6 +126,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				partialObjectMetadataList,
 				&inference.InferencePoolList{},
 				&gatewayv1.GatewayList{},
+				&ngfAPIv1alpha1.AuthenticationFilterList{},
 			},
 		},
 		{
@@ -152,6 +155,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.SnippetsFilterList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.AuthenticationFilterList{},
 			},
 		},
 		{
@@ -184,6 +188,7 @@ func TestPrepareFirstEventBatchPreparerArgs(t *testing.T) {
 				&ngfAPIv1alpha2.ObservabilityPolicyList{},
 				&ngfAPIv1alpha1.SnippetsFilterList{},
 				&ngfAPIv1alpha1.UpstreamSettingsPolicyList{},
+				&ngfAPIv1alpha1.AuthenticationFilterList{},
 			},
 		},
 	}

@@ -133,6 +133,9 @@ func (g GeneratorImpl) Generate(conf dataplane.Configuration) []agent.File {
 		files = append(files, generateCertBundle(id, bundle))
 	}
 
+	for id, data := range conf.AuthBasicSecrets {
+		files = append(files, generateAuthBasicUserFile(id, data))
+	}
 	return files
 }
 
@@ -252,3 +255,19 @@ func generateCertBundle(id dataplane.CertBundleID, cert []byte) agent.File {
 func generateCertBundleFileName(id dataplane.CertBundleID) string {
 	return filepath.Join(secretsFolder, string(id)+".crt")
 }
+
+func generateAuthBasicUserFile(id dataplane.AuthBasicUserFileID, data []byte) agent.File {
+	return agent.File{
+		Meta: &pb.FileMeta{
+			Name:        generateAuthBasicUserFileName(id),
+			Hash:        filesHelper.GenerateHash(data),
+			Permissions: file.SecretFileMode,
+			Size:        int64(len(data)),
+		},
+		Contents: data,
+	}
+}
+
+func generateAuthBasicUserFileName(id dataplane.AuthBasicUserFileID) string {
+	return filepath.Join(secretsFolder, string(id))
+}