Add basic auth to kubernetes provider

[alpe]

This will add the kubernetes provider for basic authentication. Thanks to @SantoDE for #1147.

Some constraints:

• Basic authentication only
• Realm not configurable; only traefikdefault
• Secret is in same namespace as ingress rule
• Secret must contain only single file (*)

(*) otherwise we can have some conventions here like key name (pattern)

Example

Based on https://docs.traefik.io/user-guide/kubernetes/

• Encode credentials
  htpasswd -c ./auth jane
• Deploy a secret to k8s
  kubectl --namespace=kube-system create secret generic mysecret --from-file auth
• Deploy ingress

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
  annotations:
    ingress.kubernetes.io/auth-type: "basic"
    ingress.kubernetes.io/auth-secret: "mysecret"
spec:
  rules:
  - host: traefik-ui.local
    http:
      paths:
      - backend:
          serviceName: traefik-web-ui
          servicePort: 80

Note the two annotations to enable basic auth and link the secret

[errm]

LGTM apart from the one small spelling error

[errm]

-nost- not

[SantoDE]

LGTM 👼

@alpe squash and rebase please ;-)

[timoreimann]

Left a few comments.

I notice that most of the unhappy paths are not test-covered. Can we improve here? You already added the necessary secret stub.

[timoreimann]

Typo (secet -> secret)

[timoreimann]

Could we please put the entire block in a separate function?

loadIngresses is already pretty big.

[timoreimann]

Can we do this check before the happy path so that we don't need the else?

[alpe]

The condition was authType != "" && strings.ToLower(authType) == "basic" for the error. The else block made sense but it's better in the extracted method.

[timoreimann]

This block lends itself to a switch statement IMHO.

[alpe]

The order of the conditions matter. The switch works top down when multiple conditions are true. So that's fine but it feels more fragile that I'll add note to keep the order.

[timoreimann]

Can we rephrase this without the nil for the user? What does a nil secret imply?

[alpe]

Why can this be nil anyway when ok is true? I was wondering a lot when I ran into this but I did not spent time investigating.

[timoreimann]

My guess is it won't ever be nil unless ok is false or err is non-nil. The pointer is probably for performance / in-place-update reasons.

[timoreimann]

Improvement suggestion: "multiple secrets are not supported".

[alpe]

Data can have 0 elements, too. I think this is a temporary solution until we have some convention for a key name or pattern.

[timoreimann]

Ok.

[timoreimann]

Why not firstElement := secret.Data[0]? We have already asserted there's only a single element.

[alpe]

Data is a map

[timoreimann]

Ah true, missed that. 👍

[timoreimann]

Variable name is not ideal. Maybe firstSecret instead?

[timoreimann]

Typo.

[timoreimann]

This should not reuse apiServiceError but get its own field.

[alpe]

I have applied most of the review comments @timoreimann requested. Thanks for the feedback! The test coverage and documentation can be better. I may be able to do a little bit more end of the week.

[timoreimann]

Thanks @alpe, looking pretty good now.

A bit of documentation (especially with regards to the limitations mentioned in the PR) and coverage of the important unhappy paths would be great to have. 👍

[emilevauge]

Ping @alpe

[ldez]

Documentation added

documentation added

[kekoav]

@alpe @timoreimann I know this is done but I was reviewing due to #1596 and saw this:
https://github.com/containous/traefik/blob/master/provider/kubernetes/client.go#L266

// fireEvent checks if all controllers have synced before firing
// Used after startup or a reconnect
func (c *clientImpl) fireEvent(event interface{}, eventCh chan interface{}) {
	if !c.ingController.HasSynced() || !c.svcController.HasSynced() || !c.epController.HasSynced() {
		return
	}
	eventHandlerFunc(eventCh, event)
}

Was excluding the new secController from this check for "all controllers" intentional?

[timoreimann]

Side question: What do we need the secController for exactly?

I'm really not too deep into that part of the code. What I know though is that we use various events as a trigger to poll the k8s APIs. Does the secController make sure we do that for Secrets events as well? If so, can such events ever indicate a state change relevant for Traefik?

[shadycuz]

@alpe These instuctions

Encode credentials
htpasswd -c ./auth jane
Deploy a secret to k8s
kubectl --namespace=kube-system create secret generic mysecret --from-file auth

are not on the traefik website and it was very hard to eventually track down this PR and find the example for creating the secret.

[alpe]

@shadycuz Apologies, this could have been better. I had very limited time to work on this when I contributed the code. I'm happy that you find it useful. I am very sure the community will appreciate it when you could help with some doc so that it is easier for others to setup the basic auth.

[shadycuz]

@alpe I can do that from what I know and what I see in this PR, but I have other questions, for example can we generate the secret according to instructions for generating the web dashboard auth?

Passwords can be encoded in MD5, SHA1 and BCrypt: you can use htpasswd to generate those ones.

as long as its USERNAME:ENCRYPTEDPASSWORD ?

[ldez]

https://docs.traefik.io/configuration/backends/kubernetes/#authentication

[erkolson]

Probably not the right place to post this, please tell me somewhere else that is more appropriate...

I think it is problematic to grant permission to get every secret in the kube-system namespace. It seems like the RBAC constraints should be limited to a specific secret resource or pattern for the secret name, for example:

rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
    resourceNames:
      - "traefik-*"

A small constraint on the user's secret name would make it a lot safer to run in the kube-system namespace.

[ldez]

@erkolson Could ask your question on the Traefik community Slack channel or Stack Overflow using the "traefik" tag