Auth support in frontends for k8s and file

[Zatte]

What does this PR do?

Adds functionality to have (all) authentication methods configurable at the front-end layer (instead of the entrypoint level). Support available in "File" and "Kubernetes" backends.

Motivation

Need to have fine grained "service level"/"frontend" access control, most common request is to use "Forwarder" authentication on a per frontend basis; Full discussion in #2162

Related to #2116, #2162 , #2734, #1465

More

• Added/updated tests
• Added/updated documentation

I updated docs for the providers "File" and "Kubernetes" since these are my primary use cases. Updating the remaining providers should be easy but not something i can not allocate time for.

Additional Notes

Not sure how to best handle the existing BasicAuth logic. For now i left BasicAuth as is since any changes would break configuration contracts currently in place. This means that Basic Auth can be configured in 2 places (adding confusion for users).

For Kubernetes I moved BasicAuth to use the new (generic) auth method as it didn't change the configuration contract (k8 annotations)

I'm feeling hesitant going further with this PR without maintainer feedback.

I have updated but not rebuilt the docs.

[Zatte]

Please note that the integration tests run (at least in my environment) but the test-server seem to have had issues:
https://semaphoreci.com/containous/traefik/branches/pull-request-3460/builds/1
if [ -n "$SHOULD_TEST" ]; then ci_retry make pull-images; fi
=>

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
make: *** [pull-images] Error 123
make pull-images failed, attempt 3/3```

[ldez]

@Zatte

---> Making bundle: validate-golint (in .)
Errors from golint:
provider/kubernetes/builder_configuration_test.go:224:25: func parameter forwardUrl should be forwardURL
testhelpers/config.go:147:1: comment on exported function WithFrontEndAuth should be of the form "WithFrontEndAuth ..."

Please fix the above errors. You can test via "golint" and commit the result.

make: *** [validate] Error 1
make validate failed, attempt 3/3

[Zatte]

Thanks @ldez , I fixed those issues and other issues appeared, they do however seem unrelated to the changes in this PR.

----------------------------------------------------------------------
FAIL: acme_test.go:160: AcmeSuite.TestOnDemandRetrieveAcmeCertificateWithWildcard

acme_test.go:167:
    s.retrieveAcmeCertificate(c, testCase)
acme_test.go:286:
    c.Assert(err, checker.IsNil)
... value *errors.errorString = &errors.errorString{s:"try operation failed: domain traefik.acme.wtf found instead of *.acme.wtf"} ("try operation failed: domain traefik.acme.wtf found instead of *.acme.wtf")
----------------------------------------------------------------------

I can dive into this if it is not an already known issue. The acme code seem to be somewhat volatile, is there a preferred branch i can rebase on?

[ldez]

@Zatte Could you rebase on master?

You also have to add the feature for all providers:

• File
• k8s
• Docker
• Rancher
• Consul Catalog
• Marathon
• Mesos
• ECS
• KV

[Zatte]

Then i assume the current approach is acceptable, and no major architecture changes are planned.

I'll start looking into adding more providers but have limited time to allocate on this PR atm. Contributions welcome.

Todo (I will keep this updated as I progress):

• Rebase
• File
• k8s
• KV
• Docker
• Rancher
• Consul Catalog
• Marathon
• Mesos
• ECS

[dtomcej]

Looking good.

Here is some k8s feedback!

[dtomcej]

In keeping in line with other ingress controllers, perhaps auth-url should be used instead: (https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md)

[dtomcej]

Private keys should never be used in annotations.

These should be in secrets, and referenced via a auth-tls-secret annotation, just like with basic auth :)

[dtomcej]

why ForwarURL and not ForwardURL?

[ldez]

Support for other providers will be in another PR.

[mmatur]

LGTM

[khuey]

Is there code in flight for docker anywhere? I'll do it myself if not but I don't want to duplicate someone's work if so.

[ldez]

@khuey we are working to add the support for all other providers.
A PR will coming soon.