157 lines
5.7 KiB
Markdown
157 lines
5.7 KiB
Markdown
---
|
|
title: "Traefik Ingress"
|
|
description: "A guide to integrating Authelia with the Traefik Kubernetes Ingress."
|
|
lead: "A guide to integrating Authelia with the Traefik Kubernetes Ingress."
|
|
date: 2022-06-15T17:51:47+10:00
|
|
draft: false
|
|
images: []
|
|
menu:
|
|
integration:
|
|
parent: "kubernetes"
|
|
weight: 550
|
|
toc: true
|
|
---
|
|
|
|
We officially support the Traefik 2.x Kubernetes ingress controllers. These come in two flavors:
|
|
|
|
* [Traefik Kubernetes Ingress](https://doc.traefik.io/traefik/providers/kubernetes-ingress/)
|
|
* [Traefik Kubernetes CRD](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
|
|
|
|
The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with
|
|
this ingress even though it's not specific to Kubernetes.
|
|
|
|
## Get Started
|
|
|
|
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
|
|
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
|
|
bootstrapping *Authelia*.
|
|
|
|
## Special Notes
|
|
|
|
### Cross-Namespace Resources
|
|
|
|
Depending on your Traefik version you may be required to configure the
|
|
[allowCrossNamespace](https://doc.traefik.io/traefik/providers/kubernetes-crd/#allowcrossnamespace) to reuse a
|
|
[Middleware] from a [Namespace] different to the [Ingress] / [IngressRoute]. Alternatively you can create the [Middleware]
|
|
in every [Namespace] you need to use it.
|
|
|
|
## Middleware
|
|
|
|
Regardless if you're using the [Traefik Kubernetes Ingress] or purely the [Traefik Kubernetes CRD], you must configure
|
|
the [Traefik Kubernetes CRD] as far as we're aware at this time in order to configure a [ForwardAuth] [Middleware].
|
|
|
|
This is an example [Middleware] manifest. This example assumes that you have deployed an Authelia [Pod] and you have
|
|
configured it to be served on the URL `https://auth.example.com` and there is a Kubernetes [Service] with the name
|
|
`authelia` in the `default` [Namespace] with TCP port `80` configured to route to the Authelia [Pod]'s HTTP port and
|
|
that your cluster is configured with the default DNS domain name of `cluster.local`.
|
|
|
|
*__Important Note:__ The [Middleware] should be applied to an [Ingress] / [IngressRoute] you wish to protect. It
|
|
__SHOULD NOT__ be applied to the Authelia [Ingress] / [IngressRoute] itself.*
|
|
|
|
{{< details "middleware.yml" >}}
|
|
```yaml
|
|
---
|
|
apiVersion: 'traefik.containo.us/v1alpha1'
|
|
kind: 'Middleware'
|
|
metadata:
|
|
name: 'forwardauth-authelia'
|
|
namespace: 'default'
|
|
labels:
|
|
app.kubernetes.io/instance: 'authelia'
|
|
app.kubernetes.io/name: 'authelia'
|
|
spec:
|
|
forwardAuth:
|
|
address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth'
|
|
## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
|
|
## configured in the Session Cookies section of the Authelia configuration.
|
|
# address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
|
|
authResponseHeaders:
|
|
- 'Authorization'
|
|
- 'Proxy-Authorization'
|
|
- 'Remote-User'
|
|
- 'Remote-Groups'
|
|
- 'Remote-Email'
|
|
- 'Remote-Name'
|
|
...
|
|
```
|
|
{{< /details >}}
|
|
|
|
## Ingress
|
|
|
|
This is an example [Ingress] manifest which uses the above [Middleware](#middleware). This example assumes you have an
|
|
application you wish to serve on `https://app.example.com` and there is a Kubernetes [Service] with the name `app` in
|
|
the `default` [Namespace] with TCP port `80` configured to route to the application [Pod]'s HTTP port.
|
|
|
|
{{< details "ingress.yml" >}}
|
|
```yaml
|
|
---
|
|
apiVersion: 'networking.k8s.io/v1'
|
|
kind: 'Ingress'
|
|
metadata:
|
|
name: 'app'
|
|
namespace: 'default'
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entryPoints: 'websecure'
|
|
traefik.ingress.kubernetes.io/router.middlewares: 'default-forwardauth-authelia@kubernetescrd'
|
|
traefik.ingress.kubernetes.io/router.tls: 'true'
|
|
spec:
|
|
rules:
|
|
- host: 'app.example.com'
|
|
http:
|
|
paths:
|
|
- path: '/bar'
|
|
pathType: 'Prefix'
|
|
backend:
|
|
service:
|
|
name: 'app'
|
|
port:
|
|
number: 80
|
|
...
|
|
```
|
|
{{< /details >}}
|
|
|
|
## IngressRoute
|
|
|
|
This is an example [IngressRoute] manifest which uses the above [Middleware](#middleware). This example assumes you have
|
|
an application you wish to serve on `https://app.example.com` and there is a Kubernetes [Service] with the name `app` in
|
|
the `default` [Namespace] with TCP port `80` configured to route to the application [Pod]'s HTTP port.
|
|
|
|
{{< details "ingressRoute.yml" >}}
|
|
```yaml
|
|
---
|
|
apiVersion: 'traefik.containo.us/v1alpha1'
|
|
kind: 'IngressRoute'
|
|
metadata:
|
|
name: 'app'
|
|
namespace: 'default'
|
|
spec:
|
|
entryPoints:
|
|
- 'websecure'
|
|
routes:
|
|
- kind: 'Rule'
|
|
match: 'Host(`app.example.com`)'
|
|
middlewares:
|
|
- name: 'forwardauth-authelia'
|
|
namespace: 'default'
|
|
services:
|
|
- kind: 'Service'
|
|
name: 'app'
|
|
namespace: 'default'
|
|
port: 80
|
|
scheme: 'http'
|
|
strategy: 'RoundRobin'
|
|
weight: 10
|
|
...
|
|
```
|
|
{{< /details >}}
|
|
|
|
[Namespace]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
|
|
[Pod]: https://kubernetes.io/docs/concepts/workloads/pods/
|
|
[Service]: https://kubernetes.io/docs/concepts/services-networking/service/
|
|
[IngressRoute]: https://doc.traefik.io/traefik/providers/kubernetes-crd/
|
|
[Ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/
|
|
[Traefik Kubernetes Ingress]: https://doc.traefik.io/traefik/providers/kubernetes-ingress/
|
|
[Traefik Kubernetes CRD]: https://doc.traefik.io/traefik/providers/kubernetes-crd/
|
|
[Middleware]: https://doc.traefik.io/traefik/middlewares/overview/
|
|
[ForwardAuth]: https://doc.traefik.io/traefik/middlewares/http/forwardauth/
|