Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misconfigured auth secret defaults to no authentication #71

Closed
abh opened this issue Nov 13, 2017 · 6 comments
Closed

Misconfigured auth secret defaults to no authentication #71

abh opened this issue Nov 13, 2017 · 6 comments
Labels
kind/feature
Milestone
v0.6

Comments

@abh
Copy link
Contributor

abh commented Nov 13, 2017

I had my auth secret misconfigured from following the instructions on https://github.com/jcmoraisjr/haproxy-ingress/tree/master/examples/auth/basic but not realizing the file name is essential.

I got the following log message which made me realize the error:

 error reading BasicDigestAuth annotation in Ingress logging/es: the secret kibana-auth does not contain a key with value auth

However -- it was unexpected that in this misconfigured state the ingress was left without authentication. I think it'd be better to default to requiring authentication and rejecting all passwords.
@jcmoraisjr
Copy link
Owner

I don't have a strong opinion about this yet but I'm tending to choose the need to test or check logs way. This is like other services work: they will crash if possible or they will log the misconfiguration setting if crash doesn't seem suitable.

@abh
Copy link
Contributor Author

abh commented Nov 14, 2017

Yes, of course one should test and check logs etc. ... however, while you are testing and checking logs, it'd be better if the ingress defaults to the "more secure" option if the user shows "I want to have authentication" intent, it shouldn't fail through to "nah, no authentication".

Over the weekend we had an outage in our cluster where most things kept running, but pods reading secrets couldn't reliably do so. I didn't have authentication configured on the haproxy ingress then, so I don't know what the controller would have done, but again defaulting to "more safe" seems saner.

@jcmoraisjr jcmoraisjr added this to the v0.5 milestone Nov 18, 2017
jcmoraisjr added a commit that referenced this issue Dec 24, 2017
@jcmoraisjr
Add clear userlist on misconfigured basic auth #71
56119eb
@jcmoraisjr
Copy link
Owner

Hi, since 56119eb a clear userlist on HAProxy config will be created if auth-type is basic and any other option is misconfigured. HAProxy will always refuse connection if a clear userlist is used.

The idea on how to implement this took a very long time and changed a lot of code, because of that it cannot be included in 0.5.

@jcmoraisjr jcmoraisjr modified the milestones: v0.5, v0.6 Dec 24, 2017
@abh
Copy link
Contributor Author

abh commented Feb 21, 2018

@jcmoraisjr thank you for doing this!

@jcmoraisjr
Copy link
Owner

You're welcome. Btw sorry about the delay on this and also v0.5 release and v0.6 snapshots, I'll finally have the time to take care of this in the next week.

@jcmoraisjr jcmoraisjr mentioned this issue Mar 19, 2018
Closed
@jcmoraisjr
Copy link
Owner

Current snapshot of v0.6 has this fix. Closing. Feel free to update this issue if you have any problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature
Projects
None yet
Milestone
v0.6
Development

No branches or pull requests
2 participants
@abh @jcmoraisjr