--- title: "Traefik Ingress" description: "A guide to integrating Authelia with the Traefik Kubernetes Ingress." lead: "A guide to integrating Authelia with the Traefik Kubernetes Ingress." date: 2022-05-15T13:52:27+10:00 draft: false images: [] menu: integration: parent: "kubernetes" weight: 520 toc: true --- We officially support the Traefik 2.x Kubernetes ingress controllers. These come in two flavors: * [Traefik Kubernetes Ingress](https://doc.traefik.io/traefik/providers/kubernetes-ingress/) * [Traefik Kubernetes CRD](https://doc.traefik.io/traefik/providers/kubernetes-crd/) The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with this ingress even though it's not specific to Kubernetes. ## Special Notes ### Cross-Namespace Resources Depending on your Traefik version you may be required to configure the [allowCrossNamespace](https://doc.traefik.io/traefik/providers/kubernetes-crd/#allowcrossnamespace) to reuse a [Middleware] from a namespace different to the Ingress or IngressRoute. Alternatively you can create the [Middleware] in every namespace you need to use it. ## Middleware Regardless if you're using the [Traefik Kubernetes Ingress] or purely the [Traefik Kubernetes CRD], you must configure the [Traefik Kubernetes CRD] as far as we're aware at this time in order to configure a [ForwardAuth] [Middleware]. This is an example [Middleware] manifest. This eample assumes that you have deployed an Authelia pod and you have configured it to be served on the URL `https://auth.example.com` and there is a Kubernetes Service with the name `authelia` in the `default` namespace with TCP port `80` configured to route to the Authelia pod's HTTP port and that your cluster is configured with the default DNS domain name of `cluster.local`. ```yaml apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: labels: app.kubernetes.io/instance: authelia app.kubernetes.io/name: authelia argocd.argoproj.io/instance: authelia name: forwardauth-authelia namespace: default spec: forwardAuth: address: http://authelia.default.svc.cluster.local/api/verify?rd=https%3A%2F%2Fauth.example.com%2F authResponseHeaders: - Remote-User - Remote-Name - Remote-Email - Remote-Groups ``` ## Ingress This is an example Ingress manifest which uses the above [Middleware](#middleware). This example assumes you have an application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the `default` namespace with TCP port `80` configured to route to the application pod's HTTP port. ```yaml apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: app namespace: default annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.middlewares: default-forwardauth-authelia@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: - host: app.example.com http: paths: - path: /bar pathType: Prefix backend: service: name: app port: number: 80 ``` ## IngressRoute This is an example IngressRoute manifest which uses the above [Middleware](#middleware). This example assumes you have an application you wish to serve on `https://app.example.com` and there is a Kubernetes Service with the name `app` in the `default` namespace with TCP port `80` configured to route to the application pod's HTTP port. ```yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: app namespace: default spec: entryPoints: - websecure routes: - kind: Rule match: Host(`app.example.com`) middlewares: - name: forwardauth-authelia namespace: default services: - kind: Service name: app namespace: default port: 80 scheme: http strategy: RoundRobin weight: 10 ``` [Traefik Kubernetes Ingress]: https://doc.traefik.io/traefik/providers/kubernetes-ingress/ [Traefik Kubernetes CRD]: https://doc.traefik.io/traefik/providers/kubernetes-crd/ [Middleware]: https://doc.traefik.io/traefik/middlewares/overview/ [ForwardAuth]: https://doc.traefik.io/traefik/middlewares/http/forwardauth/