New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add HTTP Basic Auth support #96
Add HTTP Basic Auth support #96
Conversation
This commit adds the support to run ironic using `http_basic`. To enable that is necessary to set USE_HTTP_BASIC to true, and also specify values for the following enviroment variables: -IRONIC_HTTP_BASIC_USERNAME -IRONIC_HTTP_BASIC_PASSWORD (cherry picked from commit a7ee6b6)
By default, ironic-conductor currently binds to any IP address, so it is accessible outside of the pod. When no authentication method is used for json-rpc, bind only to localhost so that only other containers in the same pod can connect to the json-rpc server. This will break any deployments that put ironic-conductor and ironic-api in separate pods but do not specify basic_auth. This is probably a good thing. (cherry picked from commit 5392a56)
(cherry picked from commit 8d9a1c4)
* Allow basic_auth to be configured independently on different interfaces, based on the presence of the required configuration data, rather than using a single global USE_HTTP_BASIC environment variable. * Expect all server credentials to be passed in the form of an HTTP_BASIC_HTPASSWD environment variable containing both the username and the *hash* of the password, in the htpasswd format. This is more secure, as it allows containers not to hold a copy of the password when they don't need it purely for authenticating connections. * Keep server auth user files locally rather than on the /shared volume, so that different servers can have different credentials. * Expect client credentials to be passed in the form of a file named /auth/ironic-inspector/auth-config (for ironic-inspector) or /auth/ironic-rpc/auth-config (for the json-rpc interface to ironic-conductor), formatted as an ini config file setting the appropriate options (for basic auth, this is auth_strategy=http_basic, and the username and password options; however this mechanism should work unchanged for other auth strategies). This is more secure because in k8s the password is never passed as an environment variable nor written to disk, but remains in a tmpfs filesystem. (cherry picked from commit a6bfc7b)
/approve |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dhellmann, juliakreger, zaneb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Expect all server credentials to be passed in the form of an
HTTP_BASIC_HTPASSWD
environment variable containing both the username and the hash of the password, in the htpasswd format.Expect client credentials to be passed in the form of a file named
/auth/ironic-inspector/auth-config
(for ironic-inspector) or/auth/ironic-rpc/auth-config
(for the json-rpc interface to ironic-conductor), formatted as an ini config file setting the appropriate options (for basic auth, this is auth_strategy=http_basic, and the username and password options; however this mechanism should work unchanged for other auth strategies).