Read basic auth credentials from a secret. (#1466)

Signed-off-by: Bruno Miguel Custódio <brunomcustodio@gmail.com>

charts/athens-proxy/Chart.yaml

@@ -1,5 +1,5 @@
 name: athens-proxy
-version: 0.3.9
+version: 0.4.0
 appVersion: 0.7.0
 description: The proxy server for Go modules
 icon: https://raw.githubusercontent.com/gomods/athens/master/docs/static/banner.png

charts/athens-proxy/templates/deployment.yaml

@@ -54,20 +54,10 @@ spec:
           periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
           successThreshold: {{ .Values.livenessProbe.successThreshold }}
           timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
-            {{- if .Values.basicAuth.enabled }}
-            httpHeaders:
-              - name: Authorization
-                value: "Basic {{ (printf "%s:%s" (default "gomod" .Values.basicAuth.user) (default "gomod" .Values.basicAuth.password) | b64enc) }}"
-            {{- end }}
         readinessProbe:
           httpGet:
             path: "{{ template "readinessPath" . }}"
             port: 3000
-            {{- if .Values.basicAuth.enabled }}
-            httpHeaders:
-              - name: Authorization
-                value: "Basic {{ (printf "%s:%s" (default "gomod" .Values.basicAuth.user) (default "gomod" .Values.basicAuth.password) | b64enc) }}"
-            {{- end }}
         env:
         - name: ATHENS_GOGET_WORKERS
         {{- if .Values.goGetWorkers }}
@@ -141,9 +131,15 @@ spec:
         {{- end }}
         {{- if .Values.basicAuth.enabled }}
         - name: BASIC_AUTH_USER
-          value: {{ default "gomod" .Values.basicAuth.user | quote }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ default "athens-proxy-basic-auth" .Values.basicAuth.secretName | quote }}
+              key: {{ default "username" .Values.basicAuth.usernameSecretKey | quote }}
         - name: BASIC_AUTH_PASS
-          value: {{ default "gomod" .Values.basicAuth.password | quote }}
+          valueFrom:
+            secretKeyRef:
+              name: {{ default "athens-proxy-basic-auth" .Values.basicAuth.secretName | quote }}
+              key: {{ default "password" .Values.basicAuth.passwordSecretKey | quote }}
         {{- end }}
         ports:
         - containerPort: 3000

charts/athens-proxy/values.yaml

@@ -72,8 +72,9 @@ configEnvVars: {}
 # HTTP basic auth
 basicAuth:
   enabled: false
-  user: "some_user"
-  password: "some_password"
+  secretName: athens-proxy-basic-auth
+  passwordSecretKey: password
+  usernameSecretKey: username
 
 netrc:
   # if enabled, it expects to find the content of a valid .netrc file imported as a secret named netrcsecret

cmd/proxy/actions/basicauth.go

@@ -3,26 +3,20 @@ package actions
 import (
 	"crypto/subtle"
 	"net/http"
-	"strings"
+	"regexp"
 
-	"github.com/gomods/athens/pkg/log"
 	"github.com/gorilla/mux"
 )
 
-const healthWarning = "/healthz received none or incorrect Basic-Auth headers"
+var (
+	// basicAuthExcludedPaths is a regular expression that matches paths that should not be protected by HTTP basic authentication.
+	basicAuthExcludedPaths = regexp.MustCompile("^/(health|ready)z$")
+)
 
 func basicAuth(user, pass string) mux.MiddlewareFunc {
 	return func(h http.Handler) http.Handler {
 		f := func(w http.ResponseWriter, r *http.Request) {
-			if !checkAuth(r, user, pass) {
-				// Helpful hint for Kubernetes users:
-				// if they forget to send auth headers
-				// kubernetes silently fails, so a log
-				// might help them.
-				if strings.HasSuffix(r.URL.Path, "/healthz") {
-					lggr := log.EntryFromContext(r.Context())
-					lggr.Warnf(healthWarning)
-				}
+			if !basicAuthExcludedPaths.MatchString(r.URL.Path) && !checkAuth(r, user, pass) {
 				w.Header().Set("WWW-Authenticate", `Basic realm="basic auth required"`)
 				w.WriteHeader(http.StatusUnauthorized)
 				return

cmd/proxy/actions/basicauth_test.go

@@ -49,8 +49,16 @@ var basicAuthTests = [...]struct {
 		user:           "wrongUser",
 		pass:           "wrongPassword",
 		path:           "/healthz",
-		logs:           healthWarning,
-		expectedStatus: 401,
+		logs:           "",
+		expectedStatus: 200,
+	},
+	{
+		name:           "log_on_readyz",
+		user:           "wrongUser",
+		pass:           "wrongPassword",
+		path:           "/readyz",
+		logs:           "",
+		expectedStatus: 200,
 	},
 }