authelia/docs/content/en/integration/kubernetes/traefik-ingress.md

5.6 KiB

title description lead date draft images menu weight toc
Traefik Ingress A guide to integrating Authelia with the Traefik Kubernetes Ingress. A guide to integrating Authelia with the Traefik Kubernetes Ingress. 2022-06-15T17:51:47+10:00 false
integration
parent
kubernetes
550 true

We officially support the Traefik 2.x Kubernetes ingress controllers. These come in two flavors:

The Traefik documentation may also be useful for crafting advanced annotations to use with this ingress even though it's not specific to Kubernetes.

Get Started

It's strongly recommended that users setting up Authelia for the first time take a look at our Get Started guide. This takes you through various steps which are essential to bootstrapping Authelia.

Special Notes

Cross-Namespace Resources

Depending on your Traefik version you may be required to configure the allowCrossNamespace to reuse a Middleware from a Namespace different to the Ingress / IngressRoute. Alternatively you can create the Middleware in every Namespace you need to use it.

Middleware

Regardless if you're using the Traefik Kubernetes Ingress or purely the Traefik Kubernetes CRD, you must configure the Traefik Kubernetes CRD as far as we're aware at this time in order to configure a ForwardAuth Middleware.

This is an example Middleware manifest. This example assumes that you have deployed an Authelia Pod and you have configured it to be served on the URL https://auth.example.com and there is a Kubernetes Service with the name authelia in the default Namespace with TCP port 80 configured to route to the Authelia Pod's HTTP port and that your cluster is configured with the default DNS domain name of cluster.local.

Important Note: The Middleware should be applied to an Ingress / IngressRoute you wish to protect. It SHOULD NOT be applied to the Authelia Ingress / IngressRoute itself.

{{< details "middleware.yml" >}}

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: forwardauth-authelia
  namespace: default
  labels:
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/name: authelia
spec:
  forwardAuth:
    address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth'
    ## The following commented line is for configuring the Authelia URL in the proxy. We strongly suggest this is
    ## configured in the Session Cookies section of the Authelia configuration.
    # address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth?authelia_url=https%3A%2F%2Fauth.example.com%2F'
    authResponseHeaders:
      - 'Authorization'
      - 'Proxy-Authorization'
      - 'Remote-User'
      - 'Remote-Groups'
      - 'Remote-Email'
      - 'Remote-Name'
...

{{< /details >}}

Ingress

This is an example Ingress manifest which uses the above Middleware. This example assumes you have an application you wish to serve on https://app.example.com and there is a Kubernetes Service with the name app in the default Namespace with TCP port 80 configured to route to the application Pod's HTTP port.

{{< details "ingress.yml" >}}

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app
  namespace: default
  annotations:
    traefik.ingress.kubernetes.io/router.entryPoints: websecure
    traefik.ingress.kubernetes.io/router.middlewares: default-forwardauth-authelia@kubernetescrd
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /bar
            pathType: Prefix
            backend:
              service:
                name:  app
                port:
                  number: 80
...

{{< /details >}}

IngressRoute

This is an example IngressRoute manifest which uses the above Middleware. This example assumes you have an application you wish to serve on https://app.example.com and there is a Kubernetes Service with the name app in the default Namespace with TCP port 80 configured to route to the application Pod's HTTP port.

{{< details "ingressRoute.yml" >}}

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`app.example.com`)
      middlewares:
        - name: forwardauth-authelia
          namespace: default
      services:
        - kind: Service
          name: app
          namespace: default
          port: 80
          scheme: http
          strategy: RoundRobin
          weight: 10
...

{{< /details >}}