tripleo

Allow to add Basic Authentication on HAProxy endpoint

Bug #1736132 reported by Cédric Jeanneret deactivated
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Wishlist
Cédric Jeanneret deactivated
tripleo queens-3

Bug Description

Dear Stackers,

In order to use haproxy as TLS endpoint and proxy for some metrics service we use (prometheus), we'd like to be able to get a Basic Authentication on some frontend (tripleo::haproxy::endpoint).

In order to do so, the following thing must be done:
- add support for the "userlist" directive, with the following syntax:
userlist prometheus
        group prometheus
        user prometheus insecure-password FooClearPasswordBar groups prometheus

- add support for a new directive in the "frontend" block for the wanted "endpoint":
acl valid_user http_auth(prometheus)

So, I guess something like this might be done:
- wrapper tripleo::haproxy::userlist in order to set the first requirement
- modify the tripleo::haproxy::endpoint in order to allow to get a new parameter, "valid_user", as a list

I think I can do that on my own, I just want to ensure the proposal is valid for you.

Cheers,

C.

Alex Schultz (alex-schultz)
Changed in tripleo:
milestone: none → queens-3
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
Juan Antonio Osorio Robles (juan-osorio-robles) wrote :

This sounds reasonable to me.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.openstack.org/525492

Changed in tripleo:
assignee: nobody → Cédric Jeanneret (cjeanneret-c2c)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/525492
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=9d438cd1426ba8de92d5bb04402b7cbbc450cb7a
Submitter: Zuul
Branch: master

commit 9d438cd1426ba8de92d5bb04402b7cbbc450cb7a
Author: Cédric Jeanneret <email address hidden>
Date: Tue Dec 5 08:57:50 2017 +0100

    Add Basic Authentication support for HAProxy

    In order to get a proper support for authenticated endpoints, this patch
    creates a new definition (tripleo::haproxy::userlist) and exploit it in
    the dynamic endpoint (tripleo::haproxy::service_endpoints) as well as
    standard tripleo::haproxy::endpoint.

    It also detected a small issue with the "underscorization" of the
    service name, the missing 'G' flag for regsubst, that preventend all
    dashes to be replaced by underscores.

    Change-Id: Ie7471155d1ef3f6adc177a468b81ac410bbfb9c0
    Closes-Bug: 1736132

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-tripleo 8.2.0

This issue was fixed in the openstack/puppet-tripleo 8.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.