Use authentication and add example
This commit is contained in:
Manuel de Brito Fontes
parent
8fd6ec61fe
commit
221b823ca7
5 changed files with 284 additions and 56 deletions
|
|
@ -17,10 +17,13 @@ limitations under the License.
|
|||
package auth
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
"regexp"
|
||||
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apis/extensions"
|
||||
|
|
@ -33,11 +36,19 @@ const (
|
|||
authRealm = "ingress-nginx.kubernetes.io/auth-realm"
|
||||
|
||||
defAuthRealm = "Authentication Required"
|
||||
|
||||
// DefAuthDirectory default directory used to store files
|
||||
// to authenticate request in NGINX
|
||||
DefAuthDirectory = "/etc/nginx/auth"
|
||||
)
|
||||
|
||||
func init() {
|
||||
// TODO: check permissions required
|
||||
os.MkdirAll(DefAuthDirectory, 0655)
|
||||
}
|
||||
|
||||
var (
|
||||
authTypeRegex = "basic|digest"
|
||||
authDir = "/etc/nginx/auth"
|
||||
authTypeRegex = regexp.MustCompile(`basic|digest`)
|
||||
|
||||
// ErrInvalidAuthType is return in case of unsupported authentication type
|
||||
ErrInvalidAuthType = errors.New("invalid authentication type")
|
||||
|
|
@ -47,14 +58,27 @@ var (
|
|||
|
||||
// ErrMissingSecretName is returned when the name of the secret is missing
|
||||
ErrMissingSecretName = errors.New("secret name is missing")
|
||||
|
||||
// ErrMissingAuthInSecret is returned when there is no auth key in secret data
|
||||
ErrMissingAuthInSecret = errors.New("the secret does not contains the auth key")
|
||||
)
|
||||
|
||||
// ErrMissingAnnotations is returned when the ingress rule
|
||||
// does not contains annotations related with authentication
|
||||
type ErrMissingAnnotations struct {
|
||||
msg string
|
||||
}
|
||||
|
||||
func (e ErrMissingAnnotations) Error() string {
|
||||
return e.msg
|
||||
}
|
||||
|
||||
// Nginx returns authentication configuration for an Ingress rule
|
||||
type Nginx struct {
|
||||
Type string
|
||||
Secret *api.Secret
|
||||
Realm string
|
||||
File string
|
||||
Type string
|
||||
Realm string
|
||||
File string
|
||||
Secured bool
|
||||
}
|
||||
|
||||
type ingAnnotations map[string]string
|
||||
|
|
@ -65,7 +89,8 @@ func (a ingAnnotations) authType() (string, error) {
|
|||
return "", ErrMissingAuthType
|
||||
}
|
||||
|
||||
if val != "basic" || val != "digest" {
|
||||
if !authTypeRegex.MatchString(val) {
|
||||
glog.Warningf("%v is not a valid authentication type", val)
|
||||
return "", ErrInvalidAuthType
|
||||
}
|
||||
|
||||
|
|
@ -90,52 +115,59 @@ func (a ingAnnotations) secretName() (string, error) {
|
|||
return val, nil
|
||||
}
|
||||
|
||||
// Parse parses the annotations contained in the ingress rule
|
||||
// used to add authentication in the paths defined in the rule
|
||||
// ParseAnnotations parses the annotations contained in the ingress
|
||||
// rule used to add authentication in the paths defined in the rule
|
||||
// and generated an htpasswd compatible file to be used as source
|
||||
// during the authentication process
|
||||
func Parse(kubeClient client.Interface, ing *extensions.Ingress) (*Nginx, error) {
|
||||
func ParseAnnotations(kubeClient client.Interface, ing *extensions.Ingress, authDir string) (*Nginx, error) {
|
||||
if ing.GetAnnotations() == nil {
|
||||
return &Nginx{}, ErrMissingAnnotations{"missing authentication annotations"}
|
||||
}
|
||||
|
||||
at, err := ingAnnotations(ing.GetAnnotations()).authType()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return &Nginx{}, err
|
||||
}
|
||||
|
||||
s, err := ingAnnotations(ing.GetAnnotations()).secretName()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return &Nginx{}, err
|
||||
}
|
||||
|
||||
secret, err := kubeClient.Secrets(ing.Namespace).Get(s)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return &Nginx{}, err
|
||||
}
|
||||
|
||||
realm := ingAnnotations(ing.GetAnnotations()).realm()
|
||||
|
||||
passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
|
||||
err = dumpSecret(passFile, at, secret)
|
||||
err = dumpSecret(passFile, secret)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return &Nginx{}, err
|
||||
}
|
||||
|
||||
n := &Nginx{
|
||||
Type: at,
|
||||
Secret: secret,
|
||||
Realm: realm,
|
||||
File: passFile,
|
||||
}
|
||||
|
||||
return n, nil
|
||||
return &Nginx{
|
||||
Type: at,
|
||||
Realm: realm,
|
||||
File: passFile,
|
||||
Secured: true,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// dumpSecret dumps the content of a secret into a file
|
||||
// in the expected format for the specified authorization
|
||||
func dumpSecret(filename, auth string, secret *api.Secret) error {
|
||||
buf := bytes.NewBuffer([]byte{})
|
||||
|
||||
for key, value := range secret.Data {
|
||||
fmt.Fprintf(buf, "%v:%s\n", key, value)
|
||||
func dumpSecret(filename string, secret *api.Secret) error {
|
||||
val, ok := secret.Data["auth"]
|
||||
if !ok {
|
||||
return ErrMissingAuthInSecret
|
||||
}
|
||||
|
||||
return ioutil.WriteFile(filename, buf.Bytes(), 600)
|
||||
// TODO: check permissions required
|
||||
err := ioutil.WriteFile(filename, val, 0777)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue