Securing functions with ingress + basic-auth

[murali-reddy]

Is this a BUG REPORT or FEATURE REQUEST?:

Feature request.

Description:

Kubeless provides HTTP triggers through which function can be invoked over http. Kubeless also automates TLS and routing to function through use of Kubernetes ingress resources. However beyond routing if one wants basic authentication to invoke functions we need additional configuration of Kubernetes ingress provider. For e.g to use htpasswd as basic auth provider you need to go through additional steps as described in here.

[murali-reddy]

All the popular Kubernetes ingress controller's support basic auth.

With Nginx ingress controller: https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/auth/basic/README.md

With Voyager: https://github.com/appscode/voyager/blob/master/docs/guides/ingress/security/basic-auth.md

With traefik: https://docs.traefik.io/user-guide/kubernetes/#basic-authentication

Unfortunatley annotations used are different for each ingress controller so having a generalized abstraction is not feasible. We have similar issue with certificate issuer. Right now its hard coded into http spec to be TLSAcme.

[Henrike42]

Hi Murali,

I had a look into the Nginx, Voyager and Traefik regarding basic authentication and tried to come up with a common definition as part of the kubeless http trigger.

apiVersion: kubeless.io/v1beta1
kind: HTTPTrigger
metadata:
  name: my-trigger
  namespace: test
spec:
  function: my-function
  host: "test.ingress.host"
  path: "/my-function"
  route: "my-trigger"
  tls: true
  auth:
    metadata:
      annotations:
        "kubeless.io/ingress.class:[traefik|nginx|voyager]"
    spec:
      type: "basic"
      realm: "Authentication required ..."
      secret: "secret-basic-auth"

The kubeless.io ingress.class is one of traefic, nginx, voyager or another supported option. The basic authentication secret needs to be created outside of kubeless and must exist in the same namespace.

[murali-reddy]

@Henrike42 thanks for working on adding basic auth support.

Should we just keep it as simple list of annotations in the HTTP trigger spec? Since all are basically annotations at the moment (untill Kubernetes Ingress resource adds it in its spec). HTTP trigger controller just copies the list of annotations to created ingress resource object?

nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: basic-auth
nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - foo"

kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: "basic"
ingress.kubernetes.io/auth-secret: "mysecret"

We also had requests https://github.com/kubeless/kubeless/issues/307 to support other ingress controllers. I belive at the moment just accept list of annotations and copy them to created ingress resource should work.

But at some point, if it make sense, we might consider adding the ingress spec as part of HTTP trigger spec.

[Henrike42]

Hi Murali, yes, that's even better. I thought there was a reason speaking against just passing the annotations. Maybe I misunderstood something in the TechCall yesterday.

Best Regards Henrike

[Henrike42]

Hi Murali, if you like to, I could make a pull request which adds annotations to the HTTP trigger generated ingress artifact. Best Regards Henrike

[murali-reddy]

I thought there was a reason speaking against just passing the annotations. Maybe I misunderstood something in the TechCall yesterday.

@Henrike42 Not really against, but it would have been ideal if internal details specific to Kubernetes ingress controllers are not exposed to functional developer/deployer. In the past we have had similar discussions in the end we ended up having deployment, service spec etc as part of Kubeless resource object specs. It does give the control and flexiblity to the users. In this case also we can not have generalized abstraction. So lets go with annotations.

if you like to, I could make a pull request which adds annotations to the HTTP trigger generated ingress artifact.

Yes. please go ahead.

I will try to adopt the new CLI that is part of #643 to handle basic auth and path as well.

[murali-reddy]

Basic auth support was added in #658 so closing this issue.