authelia/docs/content/en/integration/kubernetes/traefik-ingress.md

153 lines
5.3 KiB
Markdown

---
title: "Traefik Ingress"
description: "A guide to integrating Authelia with the Traefik Kubernetes Ingress."
lead: "A guide to integrating Authelia with the Traefik Kubernetes Ingress."
date: 2022-06-15T17:51:47+10:00
draft: false
images: []
menu:
integration:
parent: "kubernetes"
weight: 550
toc: true
---
We officially support the Traefik 2.x Kubernetes ingress controllers. These come in two flavors:
* [Traefik Kubernetes Ingress](https://doc.traefik.io/traefik/providers/kubernetes-ingress/)
* [Traefik Kubernetes CRD](https://doc.traefik.io/traefik/providers/kubernetes-crd/)
The [Traefik documentation](../proxies/traefik.md) may also be useful for crafting advanced annotations to use with
this ingress even though it's not specific to Kubernetes.
## Get Started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get Started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Special Notes
### Cross-Namespace Resources
Depending on your Traefik version you may be required to configure the
[allowCrossNamespace](https://doc.traefik.io/traefik/providers/kubernetes-crd/#allowcrossnamespace) to reuse a
[Middleware] from a [Namespace] different to the [Ingress] / [IngressRoute]. Alternatively you can create the [Middleware]
in every [Namespace] you need to use it.
## Middleware
Regardless if you're using the [Traefik Kubernetes Ingress] or purely the [Traefik Kubernetes CRD], you must configure
the [Traefik Kubernetes CRD] as far as we're aware at this time in order to configure a [ForwardAuth] [Middleware].
This is an example [Middleware] manifest. This example assumes that you have deployed an Authelia [Pod] and you have
configured it to be served on the URL `https://auth.example.com` and there is a Kubernetes [Service] with the name
`authelia` in the `default` [Namespace] with TCP port `80` configured to route to the Authelia [Pod]'s HTTP port and
that your cluster is configured with the default DNS domain name of `cluster.local`.
*__Important Note:__ The [Middleware] should be applied to an [Ingress] / [IngressRoute] you wish to protect. It
__SHOULD NOT__ be applied to the Authelia [Ingress] / [IngressRoute] itself.*
{{< details "middleware.yml" >}}
```yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
labels:
app.kubernetes.io/instance: authelia
app.kubernetes.io/name: authelia
argocd.argoproj.io/instance: authelia
name: forwardauth-authelia
namespace: default
spec:
forwardAuth:
address: http://authelia.default.svc.cluster.local/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
authResponseHeaders:
- Remote-User
- Remote-Name
- Remote-Email
- Remote-Groups
...
```
{{< /details >}}
## Ingress
This is an example [Ingress] manifest which uses the above [Middleware](#middleware). This example assumes you have an
application you wish to serve on `https://app.example.com` and there is a Kubernetes [Service] with the name `app` in
the `default` [Namespace] with TCP port `80` configured to route to the application [Pod]'s HTTP port.
{{< details "ingress.yml" >}}
```yaml
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: app
namespace: default
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: default-forwardauth-authelia@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /bar
pathType: Prefix
backend:
service:
name: app
port:
number: 80
...
```
{{< /details >}}
## IngressRoute
This is an example [IngressRoute] manifest which uses the above [Middleware](#middleware). This example assumes you have
an application you wish to serve on `https://app.example.com` and there is a Kubernetes [Service] with the name `app` in
the `default` [Namespace] with TCP port `80` configured to route to the application [Pod]'s HTTP port.
{{< details "ingressRoute.yml" >}}
```yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app
namespace: default
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`app.example.com`)
middlewares:
- name: forwardauth-authelia
namespace: default
services:
- kind: Service
name: app
namespace: default
port: 80
scheme: http
strategy: RoundRobin
weight: 10
...
```
{{< /details >}}
[Namespace]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
[Pod]: https://kubernetes.io/docs/concepts/workloads/pods/
[Service]: https://kubernetes.io/docs/concepts/services-networking/service/
[IngressRoute]: https://doc.traefik.io/traefik/providers/kubernetes-crd/
[Ingress]: https://kubernetes.io/docs/concepts/services-networking/ingress/
[Traefik Kubernetes Ingress]: https://doc.traefik.io/traefik/providers/kubernetes-ingress/
[Traefik Kubernetes CRD]: https://doc.traefik.io/traefik/providers/kubernetes-crd/
[Middleware]: https://doc.traefik.io/traefik/middlewares/overview/
[ForwardAuth]: https://doc.traefik.io/traefik/middlewares/http/forwardauth/