Add ability to specify userlists not only for stats
Related-Prod: PROD-23434
Change-Id: Iba0e7d4a8acd1c0318776a519e5dcd615ba95da1
diff --git a/haproxy/files/haproxy.cfg b/haproxy/files/haproxy.cfg
index 0dfba08..f25465b 100644
--- a/haproxy/files/haproxy.cfg
+++ b/haproxy/files/haproxy.cfg
@@ -60,7 +60,34 @@
{%- endif %}
{%- endfor %}
#}
+{%- endif %}
+{% if proxy.get('userlist') is defined %}
+ {%- for userlist_name, userlist in proxy.get('userlist', {}).iteritems() %}
+userlist {{ userlist.name|default(userlist_name) }}
+ {%- if userlist.groups is defined %}
+ {%- set groupNames = [] %}
+ {%- for group in userlist.groups %}
+ {%- do groupNames.append(group.name) %}
+ group {{ group.name }} {% if group.users is defined %} users {{ group.users|join(',') }} {% endif %}
+ {%- endfor %}
+ {% endif %}
+ {%- for user in userlist.users %}
+ {%- if user.get('insecure_password', False) %}
+ {%- set userPasswordField = 'insecure-password ' + user.password %}
+ {%- elif user.get('shadow_password', False) %}
+ {%- set userPasswordField = 'password ' + salt['shadow.gen_password'](user.password) %}
+ {%- else %}
+ {%- set userPasswordField = 'password ' + user.password %}
+ {%- endif %}
+ {%- if user.groups is defined %}
+ {%- set userGroupsField = 'groups ' + user.groups|join(',') %}
+ {%- elif userlist.groups is defined %}
+ {%- set userGroupsField = 'groups ' + groupNames|join(',') %}
+ {%- endif %}
+ user {{ user.name }} {{ userPasswordField }} {{ userGroupsField }}
+ {%- endfor %}
+ {%- endfor %}
{%- endif %}
{%- for listen_name, listen in proxy.get('listen', {}).iteritems() %}
diff --git a/tests/pillar/single_with_haproxy_auth.sls b/tests/pillar/single_with_haproxy_auth.sls
new file mode 100644
index 0000000..860a48e
--- /dev/null
+++ b/tests/pillar/single_with_haproxy_auth.sls
@@ -0,0 +1,44 @@
+haproxy:
+ proxy:
+ enabled: true
+ userlist:
+ sample_userlist:
+ name: registry_users
+ groups:
+ - name: 'g1'
+ - name: 'g2'
+ users:
+ - name: user1
+ password: r00tme
+ groups: [ 'g1' ]
+ - name: user2
+ password: rootme
+ insecure_password: True
+ listen:
+ sample_service:
+ acl:
+ auth_reg: "http_auth(${haproxy:proxy:userlist:sample_userlist:name})"
+ mode: http
+ options:
+ - forwardfor
+ - httpclose
+ - httplog
+ balance: source
+ http_request:
+ - action: auth
+ condition: 'if !auth_reg'
+ binds:
+ - address: 127.0.0.1
+ port: 8000
+ servers:
+ - name: test1
+ host: localhost
+ port: 15001
+ - name: test2
+ host: localhost
+ port: 15001
+
+# For haproxy/meta/sensu.yml
+linux:
+ network:
+ fqdn: linux.ci.local