baalajimaestro/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Support HTTP BasicAuth for docker and swarm endpoint

Browse source
This commit is contained in:
July 2024-08-01 20:26:04 +08:00 committed by GitHub
parent e8324132f9
commit bd93e224de
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 228 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

95
docs/content/providers/docker.md
View file

@ -134,6 +134,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
- Accounting at container level, by exposing the socket on a another container than Traefik's. - Accounting at container level, by exposing the socket on a another container than Traefik's.
- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process). - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
- SSH public key authentication (SSH is supported with Docker > 18.09) - SSH public key authentication (SSH is supported with Docker > 18.09)
- Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.
??? info "More Resources and Examples" ??? info "More Resources and Examples"
@ -216,6 +217,50 @@ See the [Docker API Access](#docker-api-access) section for more information.
# ... # ...
``` ```
??? example "Using HTTP"
Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "http://127.0.0.1:2375"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
endpoint = "http://127.0.0.1:2375"
# ...
```
```bash tab="CLI"
--providers.docker.endpoint=http://127.0.0.1:2375
# ...
```
??? example "Using TCP"
Using Docker Engine API you can connect Traefik to remote daemon using TCP.
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "tcp://127.0.0.1:2375"
# ...
```
```toml tab="File (TOML)"
[providers.docker]
endpoint = "tcp://127.0.0.1:2375"
# ...
```
```bash tab="CLI"
--providers.docker.endpoint=tcp://127.0.0.1:2375
# ...
```
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
providers: providers:
docker: docker:
@ -231,6 +276,56 @@ providers:
--providers.docker.endpoint=unix:///var/run/docker.sock --providers.docker.endpoint=unix:///var/run/docker.sock
``` ```
### `username`
_Optional, Default=""_
Defines the username for Basic HTTP authentication.
This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
```yaml tab="File (YAML)"
providers:
docker:
username: foo
# ...
```
```toml tab="File (TOML)"
[providers.docker]
username = "foo"
# ...
```
```bash tab="CLI"
--providers.docker.username="foo"
# ...
```
### `password`
_Optional, Default=""_
Defines the password for Basic HTTP authentication.
This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
```yaml tab="File (YAML)"
providers:
docker:
password: foo
# ...
```
```toml tab="File (TOML)"
[providers.docker]
password = "foo"
# ...
```
```bash tab="CLI"
--providers.docker.password="foo"
# ...
```
### `useBindPortIP` ### `useBindPortIP`
_Optional, Default=false_ _Optional, Default=false_

95
docs/content/providers/swarm.md
View file

@ -151,6 +151,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
It allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes. It allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
- Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process). - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
- SSH public key authentication (SSH is supported with Docker > 18.09) - SSH public key authentication (SSH is supported with Docker > 18.09)
- Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.
??? info "More Resources and Examples" ??? info "More Resources and Examples"
@ -262,6 +263,50 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
# ... # ...
``` ```
??? example "Using HTTP"
Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
```yaml tab="File (YAML)"
providers:
swarm:
endpoint: "http://127.0.0.1:2375"
# ...
```
```toml tab="File (TOML)"
[providers.swarm]
swarm = "http://127.0.0.1:2375"
# ...
```
```bash tab="CLI"
--providers.swarm.endpoint=http://127.0.0.1:2375
# ...
```
??? example "Using TCP"
Using Docker Engine API you can connect Traefik to remote daemon using TCP.
```yaml tab="File (YAML)"
providers:
swarm:
endpoint: "tcp://127.0.0.1:2375"
# ...
```
```toml tab="File (TOML)"
[providers.swarm]
swarm = "tcp://127.0.0.1:2375"
# ...
```
```bash tab="CLI"
--providers.swarm.endpoint=tcp://127.0.0.1:2375
# ...
```
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
providers: providers:
swarm: swarm:
@ -277,6 +322,56 @@ providers:
--providers.swarm.endpoint=unix:///var/run/docker.sock --providers.swarm.endpoint=unix:///var/run/docker.sock
``` ```
### `username`
_Optional, Default=""_
Defines the username for Basic HTTP authentication.
This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
```yaml tab="File (YAML)"
providers:
swarm:
username: foo
# ...
```
```toml tab="File (TOML)"
[providers.swarm]
username = "foo"
# ...
```
```bash tab="CLI"
--providers.swarm.username="foo"
# ...
```
### `password`
_Optional, Default=""_
Defines the password for Basic HTTP authentication.
This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
```yaml tab="File (YAML)"
providers:
swarm:
password: foo
# ...
```
```toml tab="File (TOML)"
[providers.swarm]
password = "foo"
# ...
```
```bash tab="CLI"
--providers.swarm.password="foo"
# ...
```
### `useBindPortIP` ### `useBindPortIP`
_Optional, Default=false_ _Optional, Default=false_

12
docs/content/reference/static-configuration/cli-ref.md
View file

@ -591,6 +591,9 @@ Client timeout for HTTP connections. (Default: ```0```)
`--providers.docker.network`: `--providers.docker.network`:
Default Docker network used. Default Docker network used.
`--providers.docker.password`:
Password for Basic HTTP authentication.
`--providers.docker.tls.ca`: `--providers.docker.tls.ca`:
TLS CA TLS CA
@ -606,6 +609,9 @@ TLS key
`--providers.docker.usebindportip`: `--providers.docker.usebindportip`:
Use the ip address from the bound port, rather than from the inner network. (Default: ```false```) Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
`--providers.docker.username`:
Username for Basic HTTP authentication.
`--providers.docker.watch`: `--providers.docker.watch`:
Watch Docker events. (Default: ```true```) Watch Docker events. (Default: ```true```)
@ -969,6 +975,9 @@ Client timeout for HTTP connections. (Default: ```0```)
`--providers.swarm.network`: `--providers.swarm.network`:
Default Docker network used. Default Docker network used.
`--providers.swarm.password`:
Password for Basic HTTP authentication.
`--providers.swarm.refreshseconds`: `--providers.swarm.refreshseconds`:
Polling interval for swarm mode. (Default: ```15```) Polling interval for swarm mode. (Default: ```15```)
@ -987,6 +996,9 @@ TLS key
`--providers.swarm.usebindportip`: `--providers.swarm.usebindportip`:
Use the ip address from the bound port, rather than from the inner network. (Default: ```false```) Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
`--providers.swarm.username`:
Username for Basic HTTP authentication.
`--providers.swarm.watch`: `--providers.swarm.watch`:
Watch Docker events. (Default: ```true```) Watch Docker events. (Default: ```true```)

12
docs/content/reference/static-configuration/env-ref.md
View file

@ -591,6 +591,9 @@ Client timeout for HTTP connections. (Default: ```0```)
`TRAEFIK_PROVIDERS_DOCKER_NETWORK`: `TRAEFIK_PROVIDERS_DOCKER_NETWORK`:
Default Docker network used. Default Docker network used.
`TRAEFIK_PROVIDERS_DOCKER_PASSWORD`:
Password for Basic HTTP authentication.
`TRAEFIK_PROVIDERS_DOCKER_TLS_CA`: `TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:
TLS CA TLS CA
@ -606,6 +609,9 @@ TLS key
`TRAEFIK_PROVIDERS_DOCKER_USEBINDPORTIP`: `TRAEFIK_PROVIDERS_DOCKER_USEBINDPORTIP`:
Use the ip address from the bound port, rather than from the inner network. (Default: ```false```) Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
`TRAEFIK_PROVIDERS_DOCKER_USERNAME`:
Username for Basic HTTP authentication.
`TRAEFIK_PROVIDERS_DOCKER_WATCH`: `TRAEFIK_PROVIDERS_DOCKER_WATCH`:
Watch Docker events. (Default: ```true```) Watch Docker events. (Default: ```true```)
@ -969,6 +975,9 @@ Client timeout for HTTP connections. (Default: ```0```)
`TRAEFIK_PROVIDERS_SWARM_NETWORK`: `TRAEFIK_PROVIDERS_SWARM_NETWORK`:
Default Docker network used. Default Docker network used.
`TRAEFIK_PROVIDERS_SWARM_PASSWORD`:
Password for Basic HTTP authentication.
`TRAEFIK_PROVIDERS_SWARM_REFRESHSECONDS`: `TRAEFIK_PROVIDERS_SWARM_REFRESHSECONDS`:
Polling interval for swarm mode. (Default: ```15```) Polling interval for swarm mode. (Default: ```15```)
@ -987,6 +996,9 @@ TLS key
`TRAEFIK_PROVIDERS_SWARM_USEBINDPORTIP`: `TRAEFIK_PROVIDERS_SWARM_USEBINDPORTIP`:
Use the ip address from the bound port, rather than from the inner network. (Default: ```false```) Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
`TRAEFIK_PROVIDERS_SWARM_USERNAME`:
Username for Basic HTTP authentication.
`TRAEFIK_PROVIDERS_SWARM_WATCH`: `TRAEFIK_PROVIDERS_SWARM_WATCH`:
Watch Docker events. (Default: ```true```) Watch Docker events. (Default: ```true```)

4
docs/content/reference/static-configuration/file.toml
View file

@ -85,6 +85,8 @@
useBindPortIP = true useBindPortIP = true
watch = true watch = true
defaultRule = "foobar" defaultRule = "foobar"
username = "foobar"
password = "foobar"
endpoint = "foobar" endpoint = "foobar"
httpClientTimeout = "42s" httpClientTimeout = "42s"
[providers.docker.tls] [providers.docker.tls]
@ -100,6 +102,8 @@
useBindPortIP = true useBindPortIP = true
watch = true watch = true
defaultRule = "foobar" defaultRule = "foobar"
username = "foobar"
password = "foobar"
endpoint = "foobar" endpoint = "foobar"
httpClientTimeout = "42s" httpClientTimeout = "42s"
refreshSeconds = "42s" refreshSeconds = "42s"

4
docs/content/reference/static-configuration/file.yaml
View file

@ -96,6 +96,8 @@ providers:
useBindPortIP: true useBindPortIP: true
watch: true watch: true
defaultRule: foobar defaultRule: foobar
username: foobar
password: foobar
endpoint: foobar endpoint: foobar
tls: tls:
ca: foobar ca: foobar
@ -111,6 +113,8 @@ providers:
useBindPortIP: true useBindPortIP: true
watch: true watch: true
defaultRule: foobar defaultRule: foobar
username: foobar
password: foobar
endpoint: foobar endpoint: foobar
tls: tls:
ca: foobar ca: foobar

6
pkg/provider/docker/shared.go
View file

@ -2,6 +2,7 @@ package docker
import ( import (
"context" "context"
"encoding/base64"
"fmt" "fmt"
"net/http" "net/http"
"text/template" "text/template"
@ -101,6 +102,8 @@ func parseContainer(container dockertypes.ContainerJSON) dockerData {
type ClientConfig struct { type ClientConfig struct {
apiVersion string apiVersion string
Username string `description:"Username for Basic HTTP authentication." json:"username,omitempty" toml:"username,omitempty" yaml:"username,omitempty"`
Password string `description:"Password for Basic HTTP authentication." json:"password,omitempty" toml:"password,omitempty" yaml:"password,omitempty"`
Endpoint string `description:"Docker server endpoint. Can be a TCP or a Unix socket endpoint." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"` Endpoint string `description:"Docker server endpoint. Can be a TCP or a Unix socket endpoint." json:"endpoint,omitempty" toml:"endpoint,omitempty" yaml:"endpoint,omitempty"`
TLS *types.ClientTLS `description:"Enable Docker TLS support." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"` TLS *types.ClientTLS `description:"Enable Docker TLS support." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
HTTPClientTimeout ptypes.Duration `description:"Client timeout for HTTP connections." json:"httpClientTimeout,omitempty" toml:"httpClientTimeout,omitempty" yaml:"httpClientTimeout,omitempty" export:"true"` HTTPClientTimeout ptypes.Duration `description:"Client timeout for HTTP connections." json:"httpClientTimeout,omitempty" toml:"httpClientTimeout,omitempty" yaml:"httpClientTimeout,omitempty" export:"true"`
@ -115,6 +118,9 @@ func createClient(ctx context.Context, cfg ClientConfig) (*client.Client, error)
httpHeaders := map[string]string{ httpHeaders := map[string]string{
"User-Agent": "Traefik " + version.Version, "User-Agent": "Traefik " + version.Version,
} }
if cfg.Username != "" && cfg.Password != "" {
httpHeaders["Authorization"] = "Basic " + base64.StdEncoding.EncodeToString([]byte(cfg.Username+":"+cfg.Password))
}
opts = append(opts, opts = append(opts,
client.WithHTTPHeaders(httpHeaders), client.WithHTTPHeaders(httpHeaders),