5.7 KiB
title | description | lead | date | draft | images | menu | weight | toc | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Traefik Ingress | A guide to integrating Authelia with the Traefik Kubernetes Ingress. | A guide to integrating Authelia with the Traefik Kubernetes Ingress. | 2022-06-15T17:51:47+10:00 | false |
|
550 | true |
We officially support the Traefik 2.x Kubernetes ingress controllers. These come in two flavors:
The Traefik documentation may also be useful for crafting advanced annotations to use with this ingress even though it's not specific to Kubernetes.
Get Started
It's strongly recommended that users setting up Authelia for the first time take a look at our Get Started guide. This takes you through various steps which are essential to bootstrapping Authelia.
Special Notes
Cross-Namespace Resources
Depending on your Traefik version you may be required to configure the allowCrossNamespace to reuse a Middleware from a Namespace different to the Ingress / IngressRoute. Alternatively you can create the Middleware in every Namespace you need to use it.
Middleware
Regardless if you're using the Traefik Kubernetes Ingress or purely the Traefik Kubernetes CRD, you must configure the Traefik Kubernetes CRD as far as we're aware at this time in order to configure a ForwardAuth Middleware.
This is an example Middleware manifest. This example assumes that you have deployed an Authelia Pod and you have
configured it to be served on the URL https://auth.example.com
and there is a Kubernetes Service with the name
authelia
in the default
Namespace with TCP port 80
configured to route to the Authelia Pod's HTTP port and
that your cluster is configured with the default DNS domain name of cluster.local
.
Important Note: The Middleware should be applied to an Ingress / IngressRoute you wish to protect. It SHOULD NOT be applied to the Authelia Ingress / IngressRoute itself.
{{< details "middleware.yml" >}}
---
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'Middleware'
metadata:
name: 'forwardauth-authelia'
namespace: 'default'
labels:
app.kubernetes.io/instance: 'authelia'
app.kubernetes.io/name: 'authelia'
spec:
forwardAuth:
address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth'
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
## configured in the Session Cookies section of the Authelia configuration.
# address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
authResponseHeaders:
- 'Authorization'
- 'Proxy-Authorization'
- 'Remote-User'
- 'Remote-Groups'
- 'Remote-Email'
- 'Remote-Name'
...
{{< /details >}}
Ingress
This is an example Ingress manifest which uses the above Middleware. This example assumes you have an
application you wish to serve on https://app.example.com
and there is a Kubernetes Service with the name app
in
the default
Namespace with TCP port 80
configured to route to the application Pod's HTTP port.
{{< details "ingress.yml" >}}
---
apiVersion: 'networking.k8s.io/v1'
kind: 'Ingress'
metadata:
name: 'app'
namespace: 'default'
annotations:
traefik.ingress.kubernetes.io/router.entryPoints: 'websecure'
traefik.ingress.kubernetes.io/router.middlewares: 'default-forwardauth-authelia@kubernetescrd'
traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
rules:
- host: 'app.example.com'
http:
paths:
- path: '/bar'
pathType: 'Prefix'
backend:
service:
name: 'app'
port:
number: 80
...
{{< /details >}}
IngressRoute
This is an example IngressRoute manifest which uses the above Middleware. This example assumes you have
an application you wish to serve on https://app.example.com
and there is a Kubernetes Service with the name app
in
the default
Namespace with TCP port 80
configured to route to the application Pod's HTTP port.
{{< details "ingressRoute.yml" >}}
---
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'IngressRoute'
metadata:
name: 'app'
namespace: 'default'
spec:
entryPoints:
- 'websecure'
routes:
- kind: 'Rule'
match: 'Host(`app.example.com`)'
middlewares:
- name: 'forwardauth-authelia'
namespace: 'default'
services:
- kind: 'Service'
name: 'app'
namespace: 'default'
port: 80
scheme: 'http'
strategy: 'RoundRobin'
weight: 10
...
{{< /details >}}