Add basic auth to traefik

nomad/traefik/traefik.nomad

@@ -73,8 +73,18 @@ job "traefik" {
         mount {
           type = "bind"
           target = "/etc/traefik"
-          source = "config"
+          source = "local/config"
         }
+
+        mount {
+          type = "bind"
+          target = "/etc/traefik/usersfile"
+          source = "secrets/usersfile"
+        }
+      }
+
+      vault {
+        policies = ["access-tables", "nomad-task"]
       }
 
       template {
@@ -125,13 +135,10 @@ job "traefik" {
   [providers.consulCatalog.endpoint]
     address = "http://<< env "CONSUL_HTTP_ADDR" >>"
         EOH
-        destination = "/config/traefik.toml"
+        destination = "local/config/traefik.toml"
       }
 
       template {
-        # Avoid conflict with TOML lists [[ ]] and Go templates {{ }}
-        left_delimiter = "<<"
-        right_delimiter = ">>"
         data = <<EOH
 [http]
   [http.routers]
@@ -139,46 +146,70 @@ job "traefik" {
       entryPoints = ["websecure"]
       # middlewares = []
       service = "nomad"
-      rule = "Host(`nomad.${var.base_hostname}`)"
+      rule = "Host(`nomad.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
     [http.routers.consul]
       entryPoints = ["websecure"]
       # middlewares = []
       service = "consul"
-      rule = "Host(`consul.${var.base_hostname}`)"
+      rule = "Host(`consul.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
     [http.routers.vault]
       entryPoints = ["websecure"]
       # middlewares = []
       service = "vault"
-      rule = "Host(`vault.${var.base_hostname}`)"
+      rule = "Host(`vault.{{ keyOrDefault "global/base_hostname" "${var.base_hostname}" }}`)"
 
   [http.services]
-    << with service "nomad-client" ->>
+    {{ with service "nomad-client" -}}
     [http.services.nomad]
       [http.services.nomad.loadBalancer]
-        << range . ->>
+        {{ range . -}}
         [[http.services.nomad.loadBalancer.servers]]
-          url = "http://<< .Address >>:<< .Port >>"
-        << end >>
-    <<- end >>
-    << with service "consul" ->>
+          url = "http://{{ .Address }}:{{ .Port }}"
+        {{ end }}
+    {{- end }}
+    {{ with service "consul" -}}
     [http.services.consul]
       [http.services.consul.loadBalancer]
-        << range . ->>
+        {{ range . -}}
         [[http.services.consul.loadBalancer.servers]]
           # Not using .Port because that's an RPC port
-          url = "http://<< .Address >>:8500"
-        << end >>
-    <<- end >>
-    << with service "vault" ->>
+          url = "http://{{ .Address }}:8500"
+        {{ end }}
+    {{- end }}
+    {{ with service "vault" -}}
     [http.services.vault]
       [http.services.vault.loadBalancer]
-        << range . ->>
+        {{ range . -}}
         [[http.services.vault.loadBalancer.servers]]
-          url = "http://<< .Address >>:<< .Port >>"
-        << end >>
-    <<- end >>
+          url = "http://{{ .Address }}:{{ .Port }}"
+        {{ end }}
+    {{- end }}
         EOH
-        destination = "/config/conf/route-hashi.toml"
+        destination = "local/config/conf/route-hashi.toml"
+        change_mode = "noop"
+      }
+
+      template {
+        data = <<EOH
+[http.middlewares]
+{{ with secret "kv/data/traefik" }}
+{{ if .Data.data.usersfile }}
+  [http.middlewares.basic-auth.basicAuth]
+    usersFile = "/etc/traefik/usersfile"
+{{ end }}
+{{ end }}
+        EOH
+        destination = "local/config/conf/middlewares.toml"
+        change_mode = "noop"
+      }
+
+      template {
+        data = <<EOH
+{{ with secret "kv/data/traefik" }}
+{{ .Data.data.usersfile }}
+{{ end }}
+        EOH
+        destination = "secrets/usersfile"
         change_mode = "noop"
       }
 

nomad/whoami.nomad

@@ -50,6 +50,7 @@ job "whoami" {
       tags = [
         "traefik.enable=true",
         "traefik.http.routers.whoami.entryPoints=websecure",
+        "traefik.http.routers.whoami.middlewares=basic-auth@file",
       ]
     }