authelia/docs/content/en/integration/kubernetes/traefik-ingress.md

127 lines
4.3 KiB
Markdown
Raw Normal View History

---
title: "Traefik Ingress"
description: "A guide to integrating Authelia with the Traefik Kubernetes Ingress."
lead: "A guide to integrating Authelia with the Traefik Kubernetes Ingress."
date: 2022-05-15T13:52:27+10:00
draft: false
images: []
menu:
integration:
parent: "kubernetes"
weight: 520
toc: true
---
We officially support the Traefik 2.x Kubernetes ingress controllers. These come in two flavors:
* [Traefik Kubernetes Ingress](https://doc.traefik.io/traefik/providers/kubernetes-ingress/)
* [Traefik Kubernetes CRD](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with
this ingress even though it's not specific to Kubernetes.
## Special Notes
### Cross-Namespace Resources
Depending on your Traefik version you may be required to configure the
[allowCrossNamespace](https://doc.traefik.io/traefik/providers/kubernetes-crd/#allowcrossnamespace) to reuse a
[Middleware] from a namespace different to the Ingress or IngressRoute. Alternatively you can create the [Middleware] in
every namespace you need to use it.
## Middleware
Regardless if you're using the [Traefik Kubernetes Ingress] or purely the [Traefik Kubernetes CRD], you must configure
the [Traefik Kubernetes CRD] as far as we're aware at this time in order to configure a [ForwardAuth] [Middleware].
This is an example [Middleware] manifest. This eample assumes that you have deployed an Authelia pod and you have
configured it to be served on the URL `https://auth.example.com` and there is a Kubernetes Service with the name
`authelia` in the `default` namespace with TCP port `80` configured to route to the Authelia pod's HTTP port and that
your cluster is configured with the default DNS domain name of `cluster.local`.
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
labels:
app.kubernetes.io/instance: authelia
app.kubernetes.io/name: authelia
argocd.argoproj.io/instance: authelia
name: forwardauth-authelia
namespace: default
spec:
forwardAuth:
address: http://authelia.default.svc.cluster.local/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
authResponseHeaders:
- Remote-User
- Remote-Name
- Remote-Email
- Remote-Groups
```
## Ingress
This is an example Ingress manifest which uses the above [Middleware](#middleware). This example assumes you have an
application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the
`default` namespace with TCP port `80` configured to route to the application pod's HTTP port.
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: default-forwardauth-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /bar
pathType: Prefix
backend:
service:
name: app
port:
number: 80
```
## IngressRoute
This is an example IngressRoute manifest which uses the above [Middleware](#middleware). This example assumes you have an
application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the
`default` namespace with TCP port `80` configured to route to the application pod's HTTP port.
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app
namespace: default
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`app.example.com`)
middlewares:
- name: forwardauth-authelia
namespace: default
services:
- kind: Service
name: app
namespace: default
port: 80
scheme: http
strategy: RoundRobin
weight: 10
```
[Traefik Kubernetes Ingress]: https://doc.traefik.io/traefik/providers/kubernetes-ingress/
[Traefik Kubernetes CRD]: https://doc.traefik.io/traefik/providers/kubernetes-crd/
[Middleware]: https://doc.traefik.io/traefik/middlewares/overview/
[ForwardAuth]: https://doc.traefik.io/traefik/middlewares/http/forwardauth/