Configure Aptly authentication through HAProxy

Configure Aptly authentication through HAProxy

Note

This feature is available starting from the MCP 2019.2.7 maintenance update. Before using the feature, follow the steps described in Apply maintenance updates.

This section describes how to configure authentication for Aptly repositories through HAProxy if Aptly is running on the cid nodes.

To configure Aptly authentication through HAProxy:

  1. Log in to the Salt Master node.

  2. Verify that HAProxy is enabled on the node that runs Aptly API:

    salt -C 'I@docker:client:stack:aptly' pillar.get haproxy:proxy:listen:aptly-api
    salt -C 'I@docker:client:stack:aptly' pillar.get haproxy:proxy:listen:aptly-public
    
  3. If HAProxy is not enabled, include the following class to cluster/<cluster_name>/cicd/control/init.yml:

    - system.haproxy.proxy.listen.cicd.aptly
    
  4. In cluster/<cluster_name>/cicd/control/init.yml, add the following overrides:

    haproxy:
      proxy:
        userlist:
          aptly_users:
            name: aptly_users
            groups:
              - name: <user_group_name>
              - name: <user_group_name2>
            users:
              - name: <user_name>
                password: <user_password>
                groups: [ <user_group_name> ]
              - name: <user_name2>
                password: <user_password2>
                groups: [ <user_group_name2> ]
        listen:
          aptly-api:
            acl:
              auth_reg: "http_auth(${haproxy:proxy:userlist:aptly_users:name})"
            http_request:
              - action: auth
                condition: 'if !auth_reg'
          aptly-public:
            acl:
              auth_reg: "http_auth(${haproxy:proxy:userlist:aptly_users:name})"
            http_request:
              - action: auth
                condition: 'if !auth_reg'
    

    For password, define the required password types depending on your needs:

    • Add an insecure password and HAProxy will shadow it to the configuration file. For example:

      users:
        - name: user1
          password: r00tme
      
    • Add an insecure_password: True parameter and HAProxy will add the password as an insecure one to the configuration file. For example:

      users:
        - name: user2
          password: r00tme
          insecure_password: True
      
    • Add a shadowed password and HAProxy will add it to the configuration file. For example:

      users:
        - name: user3
          password: '$6$wf0xxoXj$VqoqozsTPpeKZtw6c7gl2CYyEXfOccdif1ZmJwDT1AMKYp/.JUTZcDiZthai3xN9CzDQex9ZUOf3nFMbCm/Oe.'
          shadow_password: False
      
  5. Apply the haproxy.proxy state on the Aptly API node:

    salt -C 'I@docker:client:stack:aptly' state.apply haproxy.proxy
    

    Once done, access to Aptly API is granted through <aptly_user>:<aptly_user_password>.

Now, proceed to Enable authentication for Aptly repositories.