New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth support in frontends for k8s and file #3460
Auth support in frontends for k8s and file #3460
Conversation
Please note that the integration tests run (at least in my environment) but the test-server seem to have had issues:
|
|
Thanks @ldez , I fixed those issues and other issues appeared, they do however seem unrelated to the changes in this PR.
I can dive into this if it is not an already known issue. The acme code seem to be somewhat volatile, is there a preferred branch i can rebase on? |
@Zatte Could you rebase on You also have to add the feature for all providers:
|
Then i assume the current approach is acceptable, and no major architecture changes are planned. I'll start looking into adding more providers but have limited time to allocate on this PR atm. Contributions welcome. Todo (I will keep this updated as I progress):
|
eb3b931
to
619e02a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good.
Here is some k8s feedback!
provider/kubernetes/annotations.go
Outdated
@@ -9,6 +9,10 @@ const ( | |||
annotationKubernetesAuthRealm = "ingress.kubernetes.io/auth-realm" | |||
annotationKubernetesAuthType = "ingress.kubernetes.io/auth-type" | |||
annotationKubernetesAuthSecret = "ingress.kubernetes.io/auth-secret" | |||
annotationKubernetesForwardAuthURL = "ingress.kubernetes.io/auth-forward-url" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In keeping in line with other ingress controllers, perhaps auth-url
should be used instead: (https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md)
provider/kubernetes/annotations.go
Outdated
annotationKubernetesForwardAuthURL = "ingress.kubernetes.io/auth-forward-url" | ||
annotationKubernetesForwardAuthTrustHeaders = "ingress.kubernetes.io/auth-forward-trust-headers" | ||
annotationKubernetesForwardAuthTLSCert = "ingress.kubernetes.io/auth-forward-tls-cert" | ||
annotationKubernetesForwardAuthTLSKey = "ingress.kubernetes.io/auth-forward-tls-key" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Private keys should never be used in annotations.
These should be in secrets, and referenced via a auth-tls-secret
annotation, just like with basic auth :)
provider/kubernetes/kubernetes.go
Outdated
func handleForwardAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*types.Auth, error) { | ||
ForwardAuth := &types.Forward{} | ||
|
||
ForwarURL := getStringValue(i.Annotations, annotationKubernetesForwardAuthURL, "") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why ForwarURL
and not ForwardURL
?
1338c69
to
54438e9
Compare
Support for other providers will be in another PR. |
da1c2b3
to
a4912df
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Is there code in flight for docker anywhere? I'll do it myself if not but I don't want to duplicate someone's work if so. |
@khuey we are working to add the support for all other providers. |
What does this PR do?
Adds functionality to have (all) authentication methods configurable at the front-end layer (instead of the entrypoint level). Support available in "File" and "Kubernetes" backends.
Motivation
Need to have fine grained "service level"/"frontend" access control, most common request is to use "Forwarder" authentication on a per frontend basis; Full discussion in #2162
Related to #2116, #2162 , #2734, #1465
More
I updated docs for the providers "File" and "Kubernetes" since these are my primary use cases. Updating the remaining providers should be easy but not something i can not allocate time for.Additional Notes
Not sure how to best handle the existing BasicAuth logic. For now i left BasicAuth as is since any changes would break configuration contracts currently in place. This means that Basic Auth can be configured in 2 places (adding confusion for users).
For Kubernetes I moved BasicAuth to use the new (generic) auth method as it didn't change the configuration contract (k8 annotations)
I'm feeling hesitant going further with this PR without maintainer feedback.
I have updated but not rebuilt the docs.