From e855e6435b6fe556c720bfcc3dd8487c235440ee Mon Sep 17 00:00:00 2001
From: Suren Raju <suren.1988@gmail.com>
Date: Mon, 24 Feb 2025 12:56:58 +0400
Subject: [PATCH 1/3] feat: Support ForwardUsernameHeader field in the
 BasicAuth Signed-off-by: Suren Raju <suren.1988@gmail.com>

---
 api/v1alpha1/basic_auth_types.go              | 8 ++++++++
 api/v1alpha1/zz_generated.deepcopy.go         | 5 +++++
 site/content/en/latest/api/extension_types.md | 1 +
 3 files changed, 14 insertions(+)

diff --git a/api/v1alpha1/basic_auth_types.go b/api/v1alpha1/basic_auth_types.go
index f7bec28378..ec12473bd7 100644
--- a/api/v1alpha1/basic_auth_types.go
+++ b/api/v1alpha1/basic_auth_types.go
@@ -26,4 +26,12 @@ type BasicAuth struct {
 	//
 	// Note: The secret must be in the same namespace as the SecurityPolicy.
 	Users gwapiv1.SecretObjectReference `json:"users"`
+
+	// This field specifies the header name to forward a successfully authenticated user to
+	// the backend. The header will be added to the request with the username as the value.
+	//
+	// If it is not specified, the username will not be forwarded.
+	//
+	// +optional
+	ForwardUsernameHeader *string `json:"forwardUsernameHeader,omitempty"`
 }
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 97fddd3ff6..bbb7c11455 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -653,6 +653,11 @@ func (in *BackendTrafficPolicySpec) DeepCopy() *BackendTrafficPolicySpec {
 func (in *BasicAuth) DeepCopyInto(out *BasicAuth) {
 	*out = *in
 	in.Users.DeepCopyInto(&out.Users)
+	if in.ForwardUsernameHeader != nil {
+		in, out := &in.ForwardUsernameHeader, &out.ForwardUsernameHeader
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicAuth.
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 32c07223e3..a57c390b4e 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -499,6 +499,7 @@ _Appears in:_
 | Field | Type | Required | Default | Description |
 | ---   | ---  | ---      | ---     | ---         |
 | `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  |  | The Kubernetes secret which contains the username-password pairs in<br />htpasswd format, used to verify user credentials in the "Authorization"<br />header.<br />This is an Opaque secret. The username-password pairs should be stored in<br />the key ".htpasswd". As the key name indicates, the value needs to be the<br />htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".<br />Right now, only SHA hash algorithm is supported.<br />Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html<br />for more details.<br />Note: The secret must be in the same namespace as the SecurityPolicy. |
+| `forwardUsernameHeader` | _string_ |  false  |  | This field specifies the header name to forward a successfully authenticated user to<br />the backend. The header will be added to the request with the username as the value.<br />If it is not specified, the username will not be forwarded. |
 
 
 #### BodyToExtAuth

From 26e5e8ef4c261101b7bb221b6f6ba62f40a80f23 Mon Sep 17 00:00:00 2001
From: Suren Raju <suren.1988@gmail.com>
Date: Mon, 24 Feb 2025 14:09:36 +0400
Subject: [PATCH 2/3] fix: Added +notImplementedHide Signed-off-by: Suren Raju
 <suren.1988@gmail.com>

---
 api/v1alpha1/basic_auth_types.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/api/v1alpha1/basic_auth_types.go b/api/v1alpha1/basic_auth_types.go
index ec12473bd7..cc98c1e6f0 100644
--- a/api/v1alpha1/basic_auth_types.go
+++ b/api/v1alpha1/basic_auth_types.go
@@ -33,5 +33,6 @@ type BasicAuth struct {
 	// If it is not specified, the username will not be forwarded.
 	//
 	// +optional
+	// +notImplementedHide
 	ForwardUsernameHeader *string `json:"forwardUsernameHeader,omitempty"`
 }

From 0ba4d1d7458697be0f1281f91b720da0d0445cbf Mon Sep 17 00:00:00 2001
From: Suren Raju <suren.1988@gmail.com>
Date: Fri, 28 Feb 2025 08:41:03 +0400
Subject: [PATCH 3/3] fix: missing changes Signed-off-by: Suren Raju
 <suren.1988@gmail.com>

---
 .../generated/gateway.envoyproxy.io_securitypolicies.yaml  | 7 +++++++
 site/content/en/latest/api/extension_types.md              | 1 -
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index a48bc49ec9..6aa0d9dce2 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -384,6 +384,13 @@ spec:
                 description: BasicAuth defines the configuration for the HTTP Basic
                   Authentication.
                 properties:
+                  forwardUsernameHeader:
+                    description: |-
+                      This field specifies the header name to forward a successfully authenticated user to
+                      the backend. The header will be added to the request with the username as the value.
+
+                      If it is not specified, the username will not be forwarded.
+                    type: string
                   users:
                     description: |-
                       The Kubernetes secret which contains the username-password pairs in
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index a57c390b4e..32c07223e3 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -499,7 +499,6 @@ _Appears in:_
 | Field | Type | Required | Default | Description |
 | ---   | ---  | ---      | ---     | ---         |
 | `users` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference)_ |  true  |  | The Kubernetes secret which contains the username-password pairs in<br />htpasswd format, used to verify user credentials in the "Authorization"<br />header.<br />This is an Opaque secret. The username-password pairs should be stored in<br />the key ".htpasswd". As the key name indicates, the value needs to be the<br />htpasswd format, for example: "user1:\{SHA\}hashed_user1_password".<br />Right now, only SHA hash algorithm is supported.<br />Reference to https://httpd.apache.org/docs/2.4/programs/htpasswd.html<br />for more details.<br />Note: The secret must be in the same namespace as the SecurityPolicy. |
-| `forwardUsernameHeader` | _string_ |  false  |  | This field specifies the header name to forward a successfully authenticated user to<br />the backend. The header will be added to the request with the username as the value.<br />If it is not specified, the username will not be forwarded. |
 
 
 #### BodyToExtAuth