allow list for authentication

[bedis]

Current auth feature is configured in the frontend section of HAProxy. This is fine for most cases. That said, some people may want to allow unauthenticated browsing for some conditions (mainly source IP range for example), and doing this per ingress rule.

This could be achieved by a config-snippet in the backend, coupled to a global config snippet in the configmap:

• configmap:

  controller:
  config:
  global-config-snippet: |
    userlist default-mylist
      group authenticated-users users foo
      user foo password ******* groups authenticated-users

• ingress rule config snippet:

  haproxy.org/backend-config-snippet: |
    acl auth_ok http_auth_group(default-mylist) authenticated-users
    acl my_subnets src 10.0.0.0/8
    http-request auth unless auth_ok || my_subnets

that said, the configmap part is usually not accessible to developper when they deploy their ingress rules.

To summarize, I need 2 things:

• a way to set userlist per ingress rule
• a way to set a bypass condition for the authentication rule

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Mo3m3n]

To summarize, I need 2 things:

a way to set userlist per ingress rule a way to set a bypass condition for the authentication rule

The basic-auth annotations are available per ingress, so this should answer the first requirement.

I have added the "enhancement" label to add to the roadmap an annotation which value can be used as a haproxy acl to bypass authentication.