refactor: remove type annotation in place of label

pkg/auth/htpasswd.go

@@ -33,8 +33,6 @@ import (
 )
 
 const (
-	// AnnotationAuthType marks Secrets that can be used for basic Auth.
-	AnnotationAuthType = "auth.contour.snappcloud.io/type"
 	// AnnotationAuthRealm marks Secrets that match our authentication realm.
 	AnnotationAuthRealm = "auth.contour.snappcloud.io/realm"
 	secretRefKey        = "secretRef"
@@ -128,11 +126,6 @@ func (h *Htpasswd) Check(ctx context.Context, request *Request) (*Response, erro
 }
 
 func (h *Htpasswd) verifyFetchSecretData(secret *v1.Secret) (bool, []byte) {
-	// Only look at basic auth Secrets.
-	if secret.Annotations[AnnotationAuthType] != "basic" {
-		return false, nil
-	}
-
 	// Accept the secret if it is for our realm or for any realm.
 	if realm := secret.Annotations[AnnotationAuthRealm]; realm != "" {
 		if realm != h.Realm && realm != "*" {

pkg/auth/htpasswd_test.go

@@ -41,7 +41,6 @@ func TestHtpasswdAuth(t *testing.T) {
 				Name:      "notmatched-label",
 				Namespace: "notmatched",
 				Annotations: map[string]string{
-					AnnotationAuthType:  "basic",
 					AnnotationAuthRealm: "*",
 				},
 			},
@@ -54,11 +53,10 @@ func TestHtpasswdAuth(t *testing.T) {
 		// filtered by wrong annotation
 		&v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      "notmatched-annotation-auth-realm",
+				Name:      "notmatched-annotation",
 				Namespace: "notmatched",
-				Labels:    map[string]string{"app": "authserver"},
+				Labels:    map[string]string{"auth.contour.snappcloud.io/type": "basic"},
 				Annotations: map[string]string{
-					AnnotationAuthType:  "basic",
 					AnnotationAuthRealm: "wrong",
 				},
 			},
@@ -68,30 +66,12 @@ func TestHtpasswdAuth(t *testing.T) {
 				"auth": []byte("notmatched:$apr1$4W6cRE66$iANZepJfRTrpk3OxlzxAC0"),
 			},
 		},
-		// filtered by wrong annotation
-		&v1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      "notmatched-annotation-auth-type",
-				Namespace: "notmatched",
-				Labels:    map[string]string{"app": "authserver"},
-				Annotations: map[string]string{
-					AnnotationAuthType:  "wrong",
-					AnnotationAuthRealm: "*",
-				},
-			},
-			Type: v1.SecretTypeOpaque,
-			Data: map[string][]byte{
-				// user=notmatched, pass=notmatched
-				"auth": []byte("notmatched:$apr1$4W6cRE66$iANZepJfRTrpk3OxlzxAC0"),
-			},
-		},
 		&v1.Secret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "example1",
 				Namespace: "ns1",
-				Labels:    map[string]string{"app": "authserver"},
+				Labels:    map[string]string{"auth.contour.snappcloud.io/type": "basic"},
 				Annotations: map[string]string{
-					AnnotationAuthType:  "basic",
 					AnnotationAuthRealm: "*",
 				},
 			},
@@ -105,9 +85,8 @@ func TestHtpasswdAuth(t *testing.T) {
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "example2",
 				Namespace: "ns1",
-				Labels:    map[string]string{"app": "authserver"},
+				Labels:    map[string]string{"auth.contour.snappcloud.io/type": "basic"},
 				Annotations: map[string]string{
-					AnnotationAuthType:  "basic",
 					AnnotationAuthRealm: "*",
 				},
 			},
@@ -119,7 +98,7 @@ func TestHtpasswdAuth(t *testing.T) {
 		},
 	)
 
-	selector, err := labels.Parse("app=authserver")
+	selector, err := labels.Parse("auth.contour.snappcloud.io/type=basic")
 	if err != nil {
 		t.Fatalf("failed to parse selector: %s", err)
 	}
@@ -158,9 +137,7 @@ func TestHtpasswdAuth(t *testing.T) {
 	//nolint:lll
 	assert.False(t, auth.Match("notmatched", "notmatched", "notmatched/notmatched-label"), "auth for notmatched:notmatched should fail (filtered by label selector)")
 	//nolint:lll
-	assert.False(t, auth.Match("notmatched", "notmatched", "notmatched/notmatched-annotation-auth-realm"), "auth for notmatched:notmatched should fail (filtered by wrong annotation)")
-	//nolint:lll
-	assert.False(t, auth.Match("notmatched", "notmatched", "notmatched/notmatched-annotation-auth-type"), "auth for notmatched:notmatched should fail (filtered by wrong annotation)")
+	assert.False(t, auth.Match("notmatched", "notmatched", "notmatched/notmatched-annotation"), "auth for notmatched:notmatched should fail (filtered by wrong annotation)")
 
 	// Check an unauthorized response.
 	response, err := auth.Check(context.TODO(), &Request{