From 853bf323273a348b33f5be795df3a1f9e18a7932 Mon Sep 17 00:00:00 2001
From: Till! <till@users.noreply.github.com>
Date: Mon, 10 May 2021 17:41:34 +0200
Subject: [PATCH] Update: support forward auth for dashboard (#19)

* Update: support forward auth for dashboard

 - enable with traefik_dashboard_fwdauth_server
 - added guards to ensure things are configured
 - append fwdauth labels to service when necessary

* Update: allow setting the fqdn

By default "traefik.{{ inventory_hostname }}". This new config var
allows setting the complete name to something else if needed.

We added this to unify all dashboards on a host to be able to fwd
auth everywhere.

* Update: allow overriding deps [this is ugly]

* Chore: improve readme + shameless self promo :)
---
 README.md           | 34 +++++++++++++++++++++++++++++++++-
 defaults/main.yml   |  8 +++++++-
 tasks/configure.yml | 12 ++++++++++++
 tasks/guard.yml     | 43 +++++++++++++++++++++++++++++++++++++++++++
 tasks/main.yml      |  3 +++
 vars/main.yml       |  9 +++++++--
 6 files changed, 105 insertions(+), 4 deletions(-)
 create mode 100644 tasks/guard.yml

diff --git a/README.md b/README.md
index 8058537..7676a56 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,40 @@
 Traefik (in Docker) role for Ansible
 ====
 
+## Feature highlights
+
+ - supports the latest Traefik v1.x (e.g. v1.7)
+ - authentication
+    - basic auth
+    - forward auth
+ - enabling Traefik's dashboard
+ - works with Docker (stand-alone/docker-compose) and Docker Swarm
+ - potentially consul integration (**does not** install consul)
+
 #### Dependencies
 
 - Assumes Docker and Docker Compose are installed on the host
+- Ansible requires:
+  - `pip install jsondiff`
+  - `pip install pyyaml`
+  - manage Python deps with `traefik_manage_ansible_dependencies (bool)`
 
 #### Usage
 
+Installation:
+
+```
+$ ansible-galaxy install pngmbh.ansible_traefik_docker
+```
+
+Or add it to your `requirements.yml`:
+
+```
+- name: pngmbh.ansible_traefik_docker
+  src: https://github.com/pngmbh/ansible-traefik-docker
+  version: GIT-TAG-HERE
+```
+
 Create a playbook (`traefik.yml`) from this role:
 
 ```
@@ -14,9 +42,13 @@ Create a playbook (`traefik.yml`) from this role:
 - name: Install and configure Traefik reverse-proxy
   hosts: <your host group or individual host>
   roles:
-    - role: roles/traefik
+    - role: pngmbh.ansible_docker_traefik
       traefik_acme_email: "user@mydomain.org"
       traefik_dashboard_basicauth_users: ["user:$apr1$somehash"]
 ```
 
 For a list of all options, see [defaults/main.yml](defaults/main.yml).
+
+## About the author
+
+This is a fork, but it diverged and is actively tested and maintained here. Come check us out: [Planetary Quantum GmbH](https://www.planetary-quantum.com) :rocket:
diff --git a/defaults/main.yml b/defaults/main.yml
index 4fee87b..cd3d68f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -16,11 +16,13 @@ traefik_docker_network: "public"
 traefik_dashboard_enable: true
 traefik_dashboard_entrypoint_port: 8080
 traefik_dashboard_subdomain: "traefik"
+traefik_dashboard_fqdn: "{{ traefik_dashboard_subdomain }}.{{ traefik_docker_domain }}"
 traefik_dashboard_basicauth_enable: true
 traefik_dashboard_basicauth_users: []
+traefik_dashboard_fwdauth_server: ""
 
 # Docker
-# traefik_docker_domain: "mydomain.org" (defaults to inventory_hostname)
+traefik_docker_domain: "{{ inventory_hostname }}"
 traefik_docker_expose_by_default: false
 
 # Enable automatic certificates from Let's Encrypt
@@ -43,3 +45,7 @@ traefik_use_swarm: false
 traefik_swarm_mode: false
 traefik_swarm_network_driver: "overlay"
 traefik_swarm_network_attachable: true
+
+# Whatever Ansible needs to execute this role
+# If you're doing it otherwise, you can set this to false
+traefik_manage_ansible_dependencies: true
diff --git a/tasks/configure.yml b/tasks/configure.yml
index 7ccdead..ddcb949 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -1,4 +1,16 @@
 ---
+- name: Labels include fwd auth
+  set_fact:
+    traefik_dashboard_labels: "{{ _traefik_dashboard_labels + _traefik_dashboard_fwdauth_labels }}"
+  when:
+    - traefik_dashboard_fwdauth_server|length > 0
+
+- name: Labels don't include fwd auth
+  set_fact:
+    traefik_dashboard_labels: "{{ _traefik_dashboard_labels }}"
+  when:
+    - traefik_dashboard_fwdauth_server|length == 0
+
 - name: Render traefik config
   template:
     src: traefik.toml.j2
diff --git a/tasks/guard.yml b/tasks/guard.yml
new file mode 100644
index 0000000..c03001b
--- /dev/null
+++ b/tasks/guard.yml
@@ -0,0 +1,43 @@
+---
+- name: Ensure only basic auth or fwd auth are enabled
+  block:
+    - name: Basic auth is enabled, no fwd auth server is configured
+      block:
+        - name: Test [basic auth, dashboard is enabled]
+          assert:
+            that:
+              - traefik_dashboard_enable
+            fail_msg: "Please enable dashboard if you want basic auth for it"
+            quiet: true
+        - name: Test [basic auth enabled]
+          assert:
+            that:
+              - traefik_dashboard_fwdauth_server|length == 0
+            fail_msg: "You tried to enable basic auth AND fwd auth (hint: unconfigured traefik_dashboard_fwdauth_server)"
+            quiet: true
+        - name: Test [basic auth users are set]
+          assert:
+            that:
+              - traefik_dashboard_basicauth_users|length > 0
+            fail_msg: "You enabled basic auth without users (hint: configure traefik_dashboard_basicauth_users)"
+            quiet: true
+      when:
+        - traefik_dashboard_basicauth_enable
+
+    - name: Fwd auth server is configured correctly
+      block:
+        - name: Test [fwd auth, dashboard is enabled]
+          assert:
+            that:
+              - traefik_dashboard_enable
+            fail_msg: "Please enable dashboard if you want forward auth for it"
+            quiet: true
+        - name: Test [fwd auth is configured]
+          assert:
+            that:
+              - traefik_dashboard_basicauth_users|length == 0
+              - not traefik_dashboard_basicauth_enable
+            fail_msg: "Please remove config for basic auth and enable dashboard"
+            quiet: true
+      when:
+        - traefik_dashboard_fwdauth_server|length > 0
diff --git a/tasks/main.yml b/tasks/main.yml
index 6ad7a13..93637a8 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,4 +1,6 @@
 ---
+- include: guard.yml
+
 - include: install.yml
 
 - include: configure.yml
@@ -13,6 +15,7 @@
         name:
           - jsondiff==1.2.0
           - pyyaml==5.2
+      when: traefik_manage_ansible_dependencies
 
     - name: Create traefik docker network (Swarm)
       docker_network:
diff --git a/vars/main.yml b/vars/main.yml
index 363cb39..f51f52a 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,7 +1,12 @@
 ---
-traefik_dashboard_labels:
+_traefik_dashboard_labels:
   - "traefik.port={{ traefik_dashboard_entrypoint_port }}"
   - "traefik.docker.network={{ traefik_docker_network }}"
   - "traefik.backend=traefik"
-  - "traefik.frontend.rule=Host:{{ traefik_dashboard_subdomain }}.{{ traefik_docker_domain | default(inventory_hostname) }}"
+  - "traefik.frontend.rule=Host:{{ traefik_dashboard_fqdn }}"
   - "traefik.enable=true"
+
+_traefik_dashboard_fwdauth_labels:
+  - "traefik.frontend.auth.forward.address: {{ traefik_dashboard_fwdauth_server }}"
+  - "traefik.frontend.auth.forward.authResponseHeaders=X-Auth-User,X-Auth-Group"
+  - "traefik.frontend.auth.forward.trustForwardHeader=true"