From 37e97603e1157d779a395cd32e300eb01e5ac691 Mon Sep 17 00:00:00 2001 From: Dusan Sekulic Date: Mon, 25 Sep 2023 11:18:27 +0200 Subject: [PATCH] Basic auth (#8) --- Makefile | 10 +++-- README.md | 9 ++++- controller/cmd/controllerd/main.go | 61 +++++++++++++++++++++++++----- script/docker-compose-box.yml | 2 + 4 files changed, 67 insertions(+), 15 deletions(-) diff --git a/Makefile b/Makefile index 59ad5cd..9ec89ec 100644 --- a/Makefile +++ b/Makefile @@ -130,16 +130,18 @@ down: ## runall: run prem-gateway and prem-box runall: - @chmod +x ./script/run_all.sh - @export PREMD_IMAGE=$(PREMD_IMAGE); \ + chmod +x ./script/run_all.sh + export PREMD_IMAGE=$(PREMD_IMAGE); \ export PREMAPP_IMAGE=$(PREMAPP_IMAGE); \ + export BASIC_AUTH_CREDENTIALS=$(BASIC_AUTH_CREDENTIALS); \ ./script/run_all.sh ## stopall: stop prem-gateway and prem-box stopall: - @chmod +x ./script/stop_all.sh - @export PREMD_IMAGE=$(PREMD_IMAGE); \ + chmod +x ./script/stop_all.sh + export PREMD_IMAGE=$(PREMD_IMAGE); \ export PREMAPP_IMAGE=$(PREMAPP_IMAGE); \ + export BASIC_AUTH_CREDENTIALS=$(BASIC_AUTH_CREDENTIALS); \ ./script/stop_all.sh #### Go lint #### diff --git a/README.md b/README.md index 44a3694..54213ba 100644 --- a/README.md +++ b/README.md @@ -53,11 +53,16 @@ make up LETSENCRYPT_PROD=true SERVICES=premd,premapp #### Run prem-gateway with prem-app and prem-daemon: ```bash -make runall PREMD_IMAGE={IMG} PREMAPP_IMAGE={IMG} +make runall PREMD_IMAGE={IMG} PREMAPP_IMAGE={IMG} BASIC_AUTH_CREDENTIALS={CREDENTIALS} ``` #### Stop prem-gateway, prem-app and prem-daemon: ```bash -make stopall PREMD_IMAGE={IMG} PREMAPP_IMAGE={IMG} +make stopall PREMD_IMAGE={IMG} PREMAPP_IMAGE={IMG} BASIC_AUTH_CREDENTIALS={CREDENTIALS} +``` + +#### To generate proper credentials for basic auth, use bellow command. +```bash +echo $(htpasswd -nB {USER}) | sed -e s/\\$/\\$\\$/g ``` diff --git a/controller/cmd/controllerd/main.go b/controller/cmd/controllerd/main.go index 58cc89a..e451654 100644 --- a/controller/cmd/controllerd/main.go +++ b/controller/cmd/controllerd/main.go @@ -296,16 +296,25 @@ func restartServicesWithTls(domain string, services []string, premServices map[s for _, v := range services { switch v { case premappService: + basicAuthMiddlewareLabelKey, basicAuthMiddlewareLabelValue, basicAuthName, err := getPremServiceBasicAuthInfo(ctx, cli) + if err != nil { + return err + } + + // TODO handle restart of prem-gateway with dns exists + labels := map[string]string{ - "traefik.enable": "true", - "traefik.http.routers.premapp-http.rule": fmt.Sprintf("PathPrefix(`/`) && Host(`%s`)", domain), - "traefik.http.routers.premapp-http.entrypoints": "web", - "traefik.http.routers.premapp-https.rule": fmt.Sprintf("PathPrefix(`/`) && Host(`%s`)", domain), - "traefik.http.routers.premapp-https.entrypoints": "websecure", - fmt.Sprintf("traefik.http.routers.%s-%s.tls.certresolver", v, "https"): "myresolver", - "traefik.http.middlewares.http-to-https.redirectscheme.scheme": "https", - "traefik.http.routers.premapp-http.middlewares": "http-to-https", - "traefik.http.services.premapp.loadbalancer.server.port": "8080", + "traefik.enable": "true", + "traefik.http.routers.premapp-http.rule": fmt.Sprintf("PathPrefix(`/`) && Host(`%s`)", domain), + "traefik.http.routers.premapp-http.entrypoints": "web", + "traefik.http.routers.premapp-https.rule": fmt.Sprintf("PathPrefix(`/`) && Host(`%s`)", domain), + "traefik.http.routers.premapp-https.entrypoints": "websecure", + "traefik.http.routers.premapp-https.tls.certresolver": "myresolver", + "traefik.http.middlewares.http-to-https.redirectscheme.scheme": "https", + "traefik.http.routers.premapp-http.middlewares": fmt.Sprintf("http-to-https, %s", basicAuthName), + "traefik.http.routers.premapp-https.middlewares": basicAuthName, + "traefik.http.services.premapp.loadbalancer.server.port": "8080", + basicAuthMiddlewareLabelKey: basicAuthMiddlewareLabelValue, } if err := restartContainer(ctx, cli, v, labels, nil); err != nil { @@ -420,3 +429,37 @@ type PremService struct { SendTo string `json:"baseUrl"` } `json:"invokeMethod"` } + +func getPremServiceBasicAuthInfo( + ctx context.Context, cli *client.Client, +) (string, string, string, error) { + var ( + basicAuthMiddlewareLabelKey string + basicAuthMiddlewareLabelValue string + basicAuthName string + ) + + containerJson, err := cli.ContainerInspect(ctx, premappService) + if err != nil { + return "", "", "", fmt.Errorf("failed to inspect container %s: %v", premappService, err) + } + + for k, v := range containerJson.Config.Labels { + if strings.Contains(k, "basicauth") { + basicAuthMiddlewareLabelKey = k + basicAuthMiddlewareLabelValue = v + + parts := strings.Split(k, ".") + for i, part := range parts { + if part == "middlewares" && i+1 < len(parts) { + basicAuthName = parts[i+1] + break + } + } + + return basicAuthMiddlewareLabelKey, basicAuthMiddlewareLabelValue, basicAuthName, nil + } + } + + return "", "", "", nil +} diff --git a/script/docker-compose-box.yml b/script/docker-compose-box.yml index b575532..94a40aa 100644 --- a/script/docker-compose-box.yml +++ b/script/docker-compose-box.yml @@ -32,6 +32,8 @@ services: - "traefik.http.routers.premapp-http.rule=PathPrefix(`/`)" - "traefik.http.routers.premapp-http.entrypoints=web" - "traefik.http.services.premapp.loadbalancer.server.port=8080" + - "traefik.http.middlewares.mybasicauth.basicauth.users=${BASIC_AUTH_CREDENTIALS}" + - "traefik.http.routers.premapp-http.middlewares=mybasicauth" ports: - "8085:8080"