Auth support in frontends #3559
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mmatur
added
status/2-needs-review
kind/enhancement
ldez
suggested changes
Jul 4, 2018
provider/kv/kv_config.go
Outdated
| return basicAuth | ||
| } | ||
|
|
||
| // |
provider/kv/kv_config.go
Outdated
|
|
||
| // GetAuth Create auth from labels | ||
| func (p *Provider) getAuth(rootPath string) *types.Auth { | ||
|
|
There was a problem hiding this comment.
can you remove this empty line.
provider/kv/kv_config_test.go
Outdated
| @@ -24,38 +24,188 @@ func TestProviderBuildConfiguration(t *testing.T) { | |||
| kvPairs []*store.KVPair | |||
| expected *types.Configuration | |||
| }{ | |||
| //{ | |||
There was a problem hiding this comment.
could you uncomment or remove this test.
templates/ecs.tmpl
Outdated
|
|
||
| {{ $whitelist := getWhiteList $instance.TraefikLabels }} | ||
| {{ $whitelist := getWhiteList $instance.TraefikLabels }} |
There was a problem hiding this comment.
can you restore the previous line.
templates/kv.tmpl
Outdated
|
|
||
| {{ $whitelist := getWhiteList $frontend }} | ||
| {{ $whitelist := getWhiteList $frontend }} |
There was a problem hiding this comment.
can you restore the previous line.
templates/marathon.tmpl
Outdated
|
|
||
| {{ $whitelist := getWhiteList $app.SegmentLabels }} | ||
| {{ $whitelist := getWhiteList $app.SegmentLabels }} |
There was a problem hiding this comment.
can you restore the previous line.
templates/mesos.tmpl
Outdated
|
|
||
| {{ $whitelist := getWhiteList $app.TraefikLabels }} | ||
| {{ $whitelist := getWhiteList $app.TraefikLabels }} |
There was a problem hiding this comment.
can you restore the previous line.
templates/rancher.tmpl
Outdated
|
|
||
| {{ $whitelist := getWhiteList $service.SegmentLabels }} | ||
| {{ $whitelist := getWhiteList $service.SegmentLabels }} |
There was a problem hiding this comment.
can you restore the previous line.
provider/kv/kv_config.go
Outdated
| TrustForwardHeader: p.getBool(false, rootPath, pathFrontendAuthForwardTrustForwardHeader), | ||
| } | ||
|
|
||
| //TLS configuration |
There was a problem hiding this comment.
Could you add a whitespace.
// TLS configuration
provider/label/partial.go
Outdated
|
|
||
| return auth | ||
| } | ||
| return nil |
There was a problem hiding this comment.
// GetAuth Create auth from labels
func GetAuth(labels map[string]string) *types.Auth {
if !HasPrefix(labels, TraefikFrontendAuth) {
return nil
}
auth := &types.Auth{
HeaderField: GetStringValue(labels, TraefikFrontendAuthHeaderField, ""),
}
if HasPrefix(labels, TraefikFrontendAuthBasic) {
auth.Basic = getAuthBasic(labels)
} else if HasPrefix(labels, TraefikFrontendAuthDigest) {
auth.Digest = getAuthDigest(labels)
} else if HasPrefix(labels, TraefikFrontendAuthForward) {
auth.Forward = getAuthForward(labels)
}
return auth
}
ldez
added
contributor/waiting-for-documentation
and removed
contributor/waiting-for-corrections
labels
mmatur
requested changes
Jul 5, 2018
| | `<prefix>.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. | | ||
| | `<prefix>.frontend.auth.digest.usersfile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. | | ||
| | `<prefix>.frontend.auth.forward.address=https://example.com`| The URL of the authentication server. | | ||
| | `<prefix>.frontend.auth.forward.tls.ca=/path/ca.pem` | Set the Certificate Authority (CA) for the TLS connection with the authentication server. | |
| | `<prefix>.frontend.auth.forward.address=https://example.com`| The URL of the authentication server. | | ||
| | `<prefix>.frontend.auth.forward.tls.ca=/path/ca.pem` | Set the Certificate Authority (CA) for the TLS connection with the authentication server. | | ||
| | `<prefix>.frontend.auth.forward.tls.caOptional=true` | Check the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | | ||
| | `<prefix>.frontend.auth.forward.tls.cert=/path/server.pem` | Set the Certificate for the TLS connection with the authentication server. | |
| | `<prefix>.frontend.auth.forward.tls.caOptional=true` | Check the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | | ||
| | `<prefix>.frontend.auth.forward.tls.cert=/path/server.pem` | Set the Certificate for the TLS connection with the authentication server. | | ||
| | `<prefix>.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted. | | ||
| | `<prefix>.frontend.auth.forward.tls.key=/path/server.key` | Set the Certificate for the TLS connection with the authentication server. | |
| | `<prefix>.frontend.auth.digest.usersfile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. | | ||
| | `<prefix>.frontend.auth.forward.address=https://example.com`| The URL of the authentication server. | | ||
| | `<prefix>.frontend.auth.forward.tls.ca=/path/ca.pem` | Set the Certificate Authority (CA) for the TLS connection with the authentication server. | | ||
| | `<prefix>.frontend.auth.forward.tls.caOptional=true` | Check the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | |
| | `traefik.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. | | ||
| | `traefik.frontend.auth.digest.usersfile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. | | ||
| | `traefik.frontend.auth.forward.address=https://example.com`| The URL of the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Set the Certificate Authority (CA) for the TLS connection with the authentication server. | |
docs/configuration/backends/mesos.md
Outdated
| | `traefik.frontend.auth.forward.tls.caOptional=true` | Check the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | | ||
| | `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Set the Certificate for the TLS connection with the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted. | | ||
| | `traefik.frontend.auth.forward.tls.key=/path/server.key` | Set the Certificate for the TLS connection with the authentication server. | |
| | `traefik.frontend.auth.digest.users=EXPR` | Sets digest authentication to this frontend in CSV format: `User:Realm:Hash,User:Realm:Hash`. | | ||
| | `traefik.frontend.auth.digest.usersfile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. | | ||
| | `traefik.frontend.auth.forward.address=https://example.com`| The URL of the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Set the Certificate Authority (CA) for the TLS connection with the authentication server. | |
| | `traefik.frontend.auth.digest.usersfile=/path/.htdigest` | Sets digest authentication with an external file; if users and usersFile are provided, both are merged, with external file contents having precedence. | | ||
| | `traefik.frontend.auth.forward.address=https://example.com`| The URL of the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Set the Certificate Authority (CA) for the TLS connection with the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.caOptional=true` | Check the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | |
| | `traefik.frontend.auth.forward.address=https://example.com`| The URL of the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.ca=/path/ca.pem` | Set the Certificate Authority (CA) for the TLS connection with the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.caOptional=true` | Check the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | | ||
| | `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Set the Certificate for the TLS connection with the authentication server. | |
| | `traefik.frontend.auth.forward.tls.caOptional=true` | Check the certificates if present but do not force to be signed by a specified Certificate Authority (CA). | | ||
| | `traefik.frontend.auth.forward.tls.cert=/path/server.pem` | Set the Certificate for the TLS connection with the authentication server. | | ||
| | `traefik.frontend.auth.forward.tls.insecureSkipVerify=true`| If set to true invalid SSL certificates are accepted. | | ||
| | `traefik.frontend.auth.forward.tls.key=/path/server.key` | Set the Certificate for the TLS connection with the authentication server. | |
mmatur
requested changes
Jul 5, 2018
provider/marathon/config_test.go
Outdated
| "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", | ||
| "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0", | ||
| Auth: &types.Auth{ | ||
| //HeaderField: "X-WebAuth-User", |
provider/marathon/config_test.go
Outdated
| Basic: &types.Basic{ | ||
| Users: []string{"test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", | ||
| "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"}, | ||
| //UsersFile: ".htpasswd", |
templates/kv.tmpl
Outdated
| {{end}} | ||
|
|
||
| {{if $auth.Digest }} | ||
| [frontends.{{ $frontendName }}.auth.digest] |
There was a problem hiding this comment.
Why there are no " for {{ $frontendName }}?
templates/kv.tmpl
Outdated
| {{end}} | ||
|
|
||
| {{if $auth.Basic }} | ||
| [frontends.{{ $frontendName }}.auth.basic] |
There was a problem hiding this comment.
Why there are no " for {{ $frontendName }}?
templates/kv.tmpl
Outdated
| trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }} | ||
|
|
||
| {{if $auth.Forward.TLS }} | ||
| [frontends.{{ $frontendName }}.auth.forward.tls] |
There was a problem hiding this comment.
Why there are no " for {{ $frontendName }}?
templates/mesos.tmpl
Outdated
|
|
||
| {{if $auth.Digest }} | ||
| [frontends.frontend-{{ $frontendName }}.auth.digest] |
There was a problem hiding this comment.
Why there are no " for frontend-{{ $frontendName }}?
templates/rancher.tmpl
Outdated
| headerField = "{{ $auth.HeaderField }}" | ||
|
|
||
| {{if $auth.Forward }} | ||
| [frontends.frontend-{{ $frontendName }}.auth.forward] |
There was a problem hiding this comment.
Why there are no " for frontend-{{ $frontendName }}?
templates/rancher.tmpl
Outdated
| trustForwardHeader = {{ $auth.Forward.TrustForwardHeader }} | ||
|
|
||
| {{if $auth.Forward.TLS }} | ||
| [frontends.frontend-{{ $frontendName }}.auth.forward.tls] |
There was a problem hiding this comment.
Why there are no " for frontend-{{ $frontendName }}?
templates/rancher.tmpl
Outdated
| {{end}} | ||
|
|
||
| {{if $auth.Basic }} | ||
| [frontends.frontend-{{ $frontendName }}.auth.basic] |
There was a problem hiding this comment.
Why there are no " for frontend-{{ $frontendName }}?
templates/rancher.tmpl
Outdated
| {{end}} | ||
|
|
||
| {{if $auth.Digest }} | ||
| [frontends.frontend-{{ $frontendName }}.auth.digest] |
There was a problem hiding this comment.
Why there are no " for frontend-{{ $frontendName }}?
jbdoumenjou
force-pushed
the
feature/auth_frontend
branch
from
e2b6aef to
543c282
Compare
|
@jbdoumenjou on your branch it is remaining this part Is it normal? |
jbdoumenjou
force-pushed
the
feature/auth_frontend
branch
from
7df06f3 to
f805d21
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Authentication support in frontends for the following providers:
Motivation
Fixes #2116, #2162, #2734
Related to #1465, #3460
More