Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding an explanation how to use htpasswd for k8s secret #6194

Merged
merged 4 commits into from Jan 20, 2020
Merged

Adding an explanation how to use htpasswd for k8s secret #6194

merged 4 commits into from Jan 20, 2020

Conversation

jamct
Copy link
Contributor

@jamct jamct commented Jan 18, 2020

What does this PR do?

The tip to use htpasswd was not very clear. You have to encode the result to base64. Adding an example command.

Motivation

Make it easier to use basic auth and generate a base64 encoded string.

More

  • Added/updated documentation

@traefiker traefiker added this to the 2.1 milestone Jan 18, 2020
@ldez ldez added this to To review in v2 via automation Jan 18, 2020
@ldez
Copy link
Member

ldez commented Jan 18, 2020
edited

Hello,

You don't need to encode the result to base64.

I think you are using a docker-compose file, so you need to escape $ as explained here

Note: all dollar signs in the hash need to be doubled for escaping.
To create user:password pair, it's possible to use this command:
echo $(htpasswd -nb user password) | sed -e s/\$/\$\$/g

You can try it with this simple example:

version: "3.7"

services:

  traefik:
    image: traefik:v2.1.2
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --api
      - --providers.docker.exposedbydefault=false
    ports:
      - 80:80
      - 443:443
    labels:
      traefik.enable: true

      traefik.http.routers.traefik.rule: Host(`traefik.localhost`)
      traefik.http.routers.traefik.service: api@internal
      traefik.http.routers.traefik.entrypoints: web

      # echo $(htpasswd -bnBC 10 admin secret) | sed -e s/\\$/\\$\\$/g
      # curl -u admin:secret http://whoami.localhost
      traefik.http.middlewares.auth.basicauth.users: admin:$$2y$$10$$zdGj/1e2U9K1S1kSyI3dqu.XLOkMwvU7RFuR.54.Wwy36iSrB13te

      # htpasswd -bnBC 10 admin admin | openssl base64
      # curl -u admin:admin http://whoami.localhost
      # Doesn't work: level=error msg="error parsing BasicUser: YWRtaW46JDJ5JDEwJEZHYVN0YnR2Q0JjZWswdGczUWdMYU8yWWViMHNLSlpZT3o4STgub2w1OFNQTmNQRjd5WXpPCgo="
      # traefik.http.middlewares.auth.basicauth.users: YWRtaW46JDJ5JDEwJEZHYVN0YnR2Q0JjZWswdGczUWdMYU8yWWViMHNLSlpZT3o4STgub2w1OFNQTmNQRjd5WXpPCgo=

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: containous/whoami:v1.4.0
    labels:
      traefik.enable: true

      traefik.http.routers.whoami.rule: Host(`whoami.localhost`)
      traefik.http.routers.whoami.entrypoints: web
      traefik.http.routers.whoami.middlewares: auth

@jamct
Copy link
Contributor Author

jamct commented Jan 18, 2020

@ldez: I tried to deploy on Kubernetes and got an error saying "invalid base64..."
It worked when I encoded it to base64.

@ldez
Copy link
Member

ldez commented Jan 18, 2020
edited

So the base64 is not required for all providers: only for K8s secret.

The base64 encoding is a requirement of Secret, as you can see in the IngressRoute example.

So, you can add a comment in the IngressRoute example to explain that (like in the Docker example), but it cannot be a global tip.

Could you edit your PR, thank you.

jamct
jamct commented Jan 18, 2020
View reviewed changes
Copy link
Contributor Author

@jamct jamct left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moving the explanation to the right place.

ldez
ldez approved these changes Jan 18, 2020
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍

@ldez ldez changed the title Adding an explanation how to use htpasswd Adding an explanation how to use htpasswd for k8s secret Jan 18, 2020
@jamct
Copy link
Contributor Author

jamct commented Jan 18, 2020

Thanks @ldez for clarification and quick approval.

mpl
mpl requested changes Jan 20, 2020
View reviewed changes
docs/content/middlewares/basicauth.md Outdated Show resolved Hide resolved
juliens
juliens approved these changes Jan 20, 2020
View reviewed changes
Copy link
Member

@juliens juliens left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

jamct and others added 4 commits January 20, 2020 12:12
@traefiker traefiker merged commit 8d467dd into traefik:v2.1 Jan 20, 2020
v2 automation moved this from To review to Done Jan 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juliens juliens juliens approved these changes

@mpl mpl mpl approved these changes

@ldez ldez ldez approved these changes

Assignees
No one assigned
Labels
area/documentation area/middleware size/S
Projects
No open projects
v2
Done
Milestone
2.1
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jamct @ldez @juliens @mpl @traefiker