vdice
commented
2 years ago Hippo auth (default admin-mode) added in https://github.com/fermyon/nomad-aws-demo/pull/8
Open vdice opened 2 years ago
vdice
commented
2 years ago Hippo auth (default admin-mode) added in https://github.com/fermyon/nomad-aws-demo/pull/8
vdice
commented
2 years ago We'll need a follow-up to add Bindle auth once Hippo supports it (or, we can see if bindle basic auth at the server level -- as opposed to the Traefik/reverse proxy level -- is suitable, as it does currently support anonymous GETs)
bacongobbler
commented
2 years ago Quick update here that Hippo does support basic bindle auth via the connection string. We don't pass those values into the nomad job when we spawn an app, but we could.
https://github.com/deislabs/bindle-dotnet/blob/main/tests/Bindle.UnitTests/ConnectionInfoTests.cs
vdice
commented
2 years ago Thanks @bacongobbler; I think we'll want to add that (configure basic auth on bindle -- via bindle itself or via traefik middlware, and pass values through so hippo can talk to bindle). Once added, we can close this one out.
vdice
commented
2 years ago @bacongobbler I started work to add bindle basic auth on a branch. One detail I want to double-check that I have right: the connection string to bindle for Hippo. Does something like the following look right?
ConnectionStrings__Bindle = "server=${var.bindle_url};username=${var.bindle_auth_username};password=${var.bindle_auth_password}"Looks correct to me!
source: https://github.com/deislabs/bindle-dotnet/blob/main/src/Bindle/ConnectionInfo.cs
As of https://github.com/fermyon/nomad-aws-demo/pull/1 the quick start example launches an EC2 instance to host Nomad and the Fermyon Platform and then runs Traefik to route traffic for the Bindle server and Hippo (in addition to any deployed Spin apps...)
Currently, both the Bindle server and Hippo have tls courtesy Let's Encrypt, via their public CA. So, the URLs are out there for any amount of public access.
We'd like to restrict access to these Fermyon Platform services as much as possible.
A few (not necessarily mutually-exclusive) approaches we can look into:
Adding Basic Auth middleware at the Traefik level, to be applied to either/both Bindle and Hippo. This would require any/all traffic to these services to present the auth token on requests.
Adding account creation to Hippo into the Terraform automation such that a username and password is provided as Terraform outputs after
terraform apply. The idea is Hippo would be running in 'master account-only' mode, meaning the generated account is the only valid/possible account in the system. This would require support in Hippo (see https://github.com/deislabs/hippo/issues/546)Other?