1. Home
  2. MCP Deployment Guide
  3. Deployment customizations guidelines
  4. Customize the prebuilt mirror node
  5. Enable authentication for Aptly repositories
  6. Configure Aptly authentication through HAProxy

Configure Aptly authentication through HAProxy

Configure Aptly authentication through HAProxyΒΆ

Note

This feature is available starting from the MCP 2019.2.7 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.

This section describes how to configure authentication for Aptly repositories through HAProxy if Aptly is running on the cid nodes.

To configure Aptly authentication through HAProxy:

  1. Log in to the Salt Master node.

  2. Verify that HAProxy is enabled on the node that runs Aptly API:

    salt -C 'I@docker:client:stack:aptly' pillar.get haproxy:proxy:listen:aptly-api
salt -C 'I@docker:client:stack:aptly' pillar.get haproxy:proxy:listen:aptly-public

  3. If HAProxy is not enabled, include the following class to cluster/<cluster_name>/cicd/control/init.yml:

    - system.haproxy.proxy.listen.cicd.aptly

  4. In cluster/<cluster_name>/cicd/control/init.yml, add the following overrides:

    haproxy:
  proxy:
    userlist:
      aptly_users:
        name: aptly_users
        groups:
          - name: <user_group_name>
          - name: <user_group_name2>
        users:
          - name: <user_name>
            password: <user_password>
            groups: [ <user_group_name> ]
          - name: <user_name2>
            password: <user_password2>
            groups: [ <user_group_name2> ]
    listen:
      aptly-api:
        acl:
          auth_reg: "http_auth(${haproxy:proxy:userlist:aptly_users:name})"
        http_request:
          - action: auth
            condition: 'if !auth_reg'
      aptly-public:
        acl:
          auth_reg: "http_auth(${haproxy:proxy:userlist:aptly_users:name})"
        http_request:
          - action: auth
            condition: 'if !auth_reg'

    For password, define the required password types depending on your needs:

    • Add an insecure password and HAProxy will shadow it to the configuration file. For example:

      users:
  - name: user1
    password: r00tme

    • Add an insecure_password: True parameter and HAProxy will add the password as an insecure one to the configuration file. For example:

      users:
  - name: user2
    password: r00tme
    insecure_password: True

    • Add a shadowed password and HAProxy will add it to the configuration file. For example:

      users:
  - name: user3
    password: '$6$wf0xxoXj$VqoqozsTPpeKZtw6c7gl2CYyEXfOccdif1ZmJwDT1AMKYp/.JUTZcDiZthai3xN9CzDQex9ZUOf3nFMbCm/Oe.'
    shadow_password: False

  5. Apply the haproxy.proxy state on the Aptly API node:

    salt -C 'I@docker:client:stack:aptly' state.apply haproxy.proxy

    Once done, access to Aptly API is granted through <aptly_user>:<aptly_user_password>.

Now, proceed to Enable authentication for Aptly repositories.

updated: 2024-01-04 11:44