kubernetes-ingress
kubernetes-ingress copied to clipboard
haproxytech
allow list for authentication
Current auth feature is configured in the frontend section of HAProxy. This is fine for most cases. That said, some people may want to allow unauthenticated browsing for some conditions (mainly source IP range for example), and doing this per ingress rule.
This could be achieved by a config-snippet in the backend, coupled to a global config snippet in the configmap:
- configmap:
controller:
config:
global-config-snippet: |
userlist default-mylist
group authenticated-users users foo
user foo password ******* groups authenticated-users
- ingress rule config snippet:
haproxy.org/backend-config-snippet: |
acl auth_ok http_auth_group(default-mylist) authenticated-users
acl my_subnets src 10.0.0.0/8
http-request auth unless auth_ok || my_subnets
that said, the configmap part is usually not accessible to developper when they deploy their ingress rules.
To summarize, I need 2 things:
- a way to set userlist per ingress rule
- a way to set a bypass condition for the authentication rule
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
To summarize, I need 2 things:
a way to set userlist per ingress rule a way to set a bypass condition for the authentication rule
The basic-auth annotations are available per ingress, so this should answer the first requirement.
I have added the "enhancement" label to add to the roadmap an annotation which value can be used as a haproxy acl to bypass authentication.
