Note
This feature is available starting from the MCP 2019.2.7 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.
This section describes how to configure authentication for Aptly repositories
through HAProxy if Aptly is running on the cid
nodes.
To configure Aptly authentication through HAProxy:
Log in to the Salt Master node.
Verify that HAProxy is enabled on the node that runs Aptly API:
salt -C 'I@docker:client:stack:aptly' pillar.get haproxy:proxy:listen:aptly-api
salt -C 'I@docker:client:stack:aptly' pillar.get haproxy:proxy:listen:aptly-public
If HAProxy is not enabled, include the following class to
cluster/<cluster_name>/cicd/control/init.yml
:
- system.haproxy.proxy.listen.cicd.aptly
In cluster/<cluster_name>/cicd/control/init.yml
, add the following
overrides:
haproxy:
proxy:
userlist:
aptly_users:
name: aptly_users
groups:
- name: <user_group_name>
- name: <user_group_name2>
users:
- name: <user_name>
password: <user_password>
groups: [ <user_group_name> ]
- name: <user_name2>
password: <user_password2>
groups: [ <user_group_name2> ]
listen:
aptly-api:
acl:
auth_reg: "http_auth(${haproxy:proxy:userlist:aptly_users:name})"
http_request:
- action: auth
condition: 'if !auth_reg'
aptly-public:
acl:
auth_reg: "http_auth(${haproxy:proxy:userlist:aptly_users:name})"
http_request:
- action: auth
condition: 'if !auth_reg'
For password
, define the required password types depending on your
needs:
Add an insecure password and HAProxy will shadow it to the configuration file. For example:
users:
- name: user1
password: r00tme
Add an insecure_password: True
parameter and HAProxy will add the
password as an insecure one to the configuration file. For example:
users:
- name: user2
password: r00tme
insecure_password: True
Add a shadowed password and HAProxy will add it to the configuration file. For example:
users:
- name: user3
password: '$6$wf0xxoXj$VqoqozsTPpeKZtw6c7gl2CYyEXfOccdif1ZmJwDT1AMKYp/.JUTZcDiZthai3xN9CzDQex9ZUOf3nFMbCm/Oe.'
shadow_password: False
Apply the haproxy.proxy
state on the Aptly API node:
salt -C 'I@docker:client:stack:aptly' state.apply haproxy.proxy
Once done, access to Aptly API is granted through
<aptly_user>:<aptly_user_password>
.
Now, proceed to Enable authentication for Aptly repositories.