Merge 'v1.4.3' into master

Release v1.4.3
2017-11-15 23:01:08 +01:00 · 2017-11-15 23:01:08 +01:00 · 8719f2836e
commit 8719f2836e
parent 0c702b0b6b 77b111702b
18 changed files with 717 additions and 145 deletions
--- a/docs/configuration/backends/kubernetes.md
+++ b/docs/configuration/backends/kubernetes.md
@ -2,7 +2,7 @@

 Træfik can be configured to use Kubernetes Ingress as a backend configuration.

-See also [Kubernetes user guide](/docs/user-guide/kubernetes). 
+See also [Kubernetes user guide](/user-guide/kubernetes). 


 ## Configuration
@ -118,10 +118,10 @@ If one of the Net-Specifications are invalid, the whole list is invalid and allo
 ### Authentication

 Is possible to add additional authentication annotations in the Ingress rule.
-The source of the authentication is a secret that contains usernames and passwords inside the the key auth.
+The source of the authentication is a secret that contains usernames and passwords inside the key auth.

 - `ingress.kubernetes.io/auth-type`: `basic`
- `ingress.kubernetes.io/auth-secret`  
+- `ingress.kubernetes.io/auth-secret`: `mysecret`  
    Contains the usernames and passwords with access to the paths defined in the Ingress Rule.

 The secret must be created in the same namespace as the Ingress rule.
--- a/docs/user-guide/docker-and-lets-encrypt.md
+++ b/docs/user-guide/docker-and-lets-encrypt.md
@ -59,8 +59,8 @@ services:
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
-      - /srv/traefik/traefik.toml:/traefik.toml
-      - /srv/traefik/acme.json:/acme.json
+      - /opt/traefik/traefik.toml:/traefik.toml
+      - /opt/traefik/acme.json:/acme.json
    container_name: traefik

 networks:
--- a/docs/user-guide/examples.md
+++ b/docs/user-guide/examples.md
@ -140,7 +140,7 @@ This configuration allows generating a Let's Encrypt certificate during the firs
    * TLS handshakes will be slow when requesting a hostname certificate for the first time, this can leads to DDoS attacks.
    * Let's Encrypt have rate limiting: https://letsencrypt.org/docs/rate-limits

-    That's why, it's better to use the `onHostRule` optin if possible.
+    That's why, it's better to use the `onHostRule` option if possible.

 ### DNS challenge

@ -173,7 +173,7 @@ entryPoint = "https"
 DNS challenge needs environment variables to be executed.
 This variables have to be set on the machine/container which host Traefik.

-These variables has described [in this section](/configuration/acme/#dnsprovider).
+These variables are described [in this section](/configuration/acme/#dnsprovider).

 ### OnHostRule option and provided certificates

@ -201,7 +201,7 @@ Traefik will only try to generate a Let's encrypt certificate if the domain cann

 #### Prerequisites

-Before to use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely to [this section](/user-guide/kv-config/#store-configuration-in-key-value-store) in the way to know how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.
+Before you use Let's Encrypt in a Traefik cluster, take a look to [the key-value store explanations](/user-guide/kv-config) and more precisely at [this section](/user-guide/kv-config/#store-configuration-in-key-value-store), which will describe how to migrate from a acme local storage *(acme.json file)* to a key-value store configuration.

 #### Configuration

--- a/docs/user-guide/kubernetes.md
+++ b/docs/user-guide/kubernetes.md
@ -82,7 +82,7 @@ It is possible to use Træfik with a [Deployment](https://kubernetes.io/docs/con

 The Deployment objects looks like this:

-```yml
+```yaml
 ---
 apiVersion: v1
 kind: ServiceAccount
@ -330,6 +330,72 @@ echo "$(minikube ip) traefik-ui.minikube" | sudo tee -a /etc/hosts

 We should now be able to visit [traefik-ui.minikube](http://traefik-ui.minikube) in the browser and view the Træfik Web UI.

+## Basic Authentication
+
+It's possible to add additional authentication annotations in the Ingress rule.
+The source of the authentication is a secret that contains usernames and passwords inside the key auth.
+To read about basic auth limitations see the [Kubernetes Ingress](/configuration/backends/kubernetes) configuration page.
+
+#### Creating the Secret
+
+A. Use `htpasswd` to create a file containing the username and the base64-encoded password:
+
+```shell
+htpasswd -c ./auth myusername
+```
+
+You will be prompted for a password which you will have to enter twice.
+`htpasswd` will create a file with the following:
+
+```shell
+cat auth
+```
+```
+myusername:$apr1$78Jyn/1K$ERHKVRPPlzAX8eBtLuvRZ0
+```
+
+B. Now use `kubectl` to create a secret in the monitoring namespace using the file created by `htpasswd`.
+
+```shell
+kubectl create secret generic mysecret --from-file auth --namespace=monitoring
+```
+
+!!! note
+    Secret must be in same namespace as the ingress rule.
+
+C. Create the ingress using the following annotations to specify basic auth and that the username and password is stored in `mysecret`.
+
+- `ingress.kubernetes.io/auth-type: "basic"`
+- `ingress.kubernetes.io/auth-secret: "mysecret"`
+
+Following is a full ingress example based on Prometheus:
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: prometheus-dashboard
+ namespace: monitoring
+ annotations:
+   kubernetes.io/ingress.class: traefik
+   ingress.kubernetes.io/auth-type: "basic"
+   ingress.kubernetes.io/auth-secret: "mysecret"
+spec:
+ rules:
+ - host: dashboard.prometheus.example.com
+   http:
+     paths:
+     - backend:
+         serviceName: prometheus
+         servicePort: 9090
+```
+
+You can apply the example ingress as following:
+
+```shell
+kubectl create -f prometheus-ingress.yaml -n monitoring
+```
+
 ## Name based routing

 In this example we are going to setup websites for 3 of the United Kingdoms best loved cheeses, Cheddar, Stilton and Wensleydale.
--- a/docs/user-guide/kv-config.md
+++ b/docs/user-guide/kv-config.md
@ -148,6 +148,37 @@ This variable must be initialized with the ACL token value.

 If Traefik is launched into a Docker container, the variable `CONSUL_HTTP_TOKEN` can be initialized with the `-e` Docker option : `-e "CONSUL_HTTP_TOKEN=[consul-acl-token-value]"`

+If a Consul ACL is used to restrict Træfik read/write access, one of the following configurations is needed.
+
+- HCL format :
+
+```
+    key "traefik" {
+        policy = "write"
+    },
+    
+    session "" {
+        policy = "write"
+    }
+```
+
+- JSON format :
+
+```json
+{
+    "key": {
+        "traefik": {
+          "policy": "write"
+        }
+    },
+    "session": {
+        "": {
+        "policy": "write"
+        }
+    }
+}
+```
+
 ### TLS support

 To connect to a Consul endpoint using SSL, simply specify `https://` in the `consul.endpoint` property