DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/examples/auth/basic/haproxy/README.md
Joao Morais 73c9197df6 HAProxy Auth Basic sample
2017-03-05 21:41:12 -03:00

2.9 KiB
Raw Blame History

HAProxy Ingress Basic Authentication

This example demonstrates how to configure Basic Authentication on HAProxy Ingress controller.

Prerequisites

This document has the following prerequisites:

  • Deploy HAProxy Ingress controller, you should end up with controller, a sample web app and an ingress resource to the foo.bar domain
  • Feature not on stable version; use canary tag

As mentioned in the deployment instructions, you MUST turn down any existing ingress controllers before running HAProxy Ingress.

Using Basic Authentication

HAProxy Ingress read user and password from auth file stored on secrets, one user and password per line. Secret name, realm and type are configured with annotations in the ingress resource:

  • ingress.kubernetes.io/auth-type: the only supported type is basic
  • ingress.kubernetes.io/auth-realm: an optional string with authentication realm
  • ingress.kubernetes.io/auth-secret: name of the secret

Each line of the auth file should have:

  • user and insecure password separated with a pair of colons: <username>::<plain-text-passwd>; or
  • user and an encrypted password separated with colons: <username>:<encrypted-passwd>

HAProxy evaluates encrypted passwords with crypt function. Use mkpasswd or makepasswd to create it. mkpasswd can be found on Alpine Linux container.

Configure

Create a secret to our users:

  • john and password admin using insecure plain text password
  • jane and password guest using encrypted password
$ mkpasswd -m des ## a short, des encryption, syntax from Busybox on Alpine Linux
Password: (type 'guest' and press Enter)
E5BrlrQ5IXYK2

$ cat >auth <<EOF
john::admin
jane:E5BrlrQ5IXYK2
EOF

$ kubectl create secret generic mypasswd --from-file auth
$ rm -fv auth

Annotate the ingress resource created on a previous step:

$ kubectl annotate ingress/app \
    ingress.kubernetes.io/auth-type=basic \
    ingress.kubernetes.io/auth-realm="My Server" \
    ingress.kubernetes.io/auth-secret=mypasswd

Test without user and password:

$ curl -i 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.0 401 Unauthorized
Cache-Control: no-cache
Connection: close
Content-Type: text/html
WWW-Authenticate: Basic realm="My Server"

<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>

Send a valid user:

$ curl -i -u 'john:admin' 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 200 OK
Server: nginx/1.9.11
Date: Sun, 05 Mar 2017 19:22:33 GMT
Content-Type: text/plain
Transfer-Encoding: chunked

CLIENT VALUES:
client_address=10.2.18.5
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://foo.bar:8080/

Using jane:guest user/passwd should have the same output.