authelia/docs/content/integration/kubernetes/traefik-ingress.md

6.4 KiB

title description summary date draft images weight toc seo
Traefik Ingress A guide to integrating Authelia with the Traefik Kubernetes Ingress. A guide to integrating Authelia with the Traefik Kubernetes Ingress. 2022-06-15T17:51:47+10:00 false
550 true
title description canonical noindex
false

We officially support the Traefik 2.x Kubernetes ingress controllers. These come in two flavors:

The Traefik documentation may also be useful for crafting advanced annotations to use with this ingress even though it's not specific to Kubernetes.

Get started

It's strongly recommended that users setting up Authelia for the first time take a look at our Get started guide. This takes you through various steps which are essential to bootstrapping Authelia.

Variables

Some of the values within this page can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

Special Notes

Cross-Namespace Resources

Depending on your Traefik version you may be required to configure the allowCrossNamespace to reuse a Middleware from a Namespace different to the Ingress / IngressRoute. Alternatively you can create the Middleware in every Namespace you need to use it.

Middleware

Regardless if you're using the Traefik Kubernetes Ingress or purely the Traefik Kubernetes CRD, you must configure the Traefik Kubernetes CRD as far as we're aware at this time in order to configure a ForwardAuth Middleware.

This is an example Middleware manifest. This example assumes that you have deployed an Authelia Pod and you have configured it to be served on the URL https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}} and there is a Kubernetes Service with the name authelia in the default Namespace with TCP port 80 configured to route to the Authelia Pod's HTTP port and that your cluster is configured with the default DNS domain name of cluster.local.

{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}} The Middleware should be applied to an Ingress / IngressRoute you wish to protect. It SHOULD NOT be applied to the Authelia Ingress / IngressRoute itself. {{< /callout >}}

---
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'Middleware'
metadata:
  name: 'forwardauth-authelia' # name of middleware as it appears in Traefik, and how you reference in ingress rules
  namespace: 'default' # name of namespace that Traefik is in
  labels:
    app.kubernetes.io/instance: 'authelia'
    app.kubernetes.io/name: 'authelia'
spec:
  forwardAuth:
    address: 'http://authelia.default.svc.cluster.local/api/authz/forward-auth'
    authResponseHeaders:
      - 'Remote-User'
      - 'Remote-Groups'
      - 'Remote-Email'
      - 'Remote-Name'
...

Ingress

This is an example Ingress manifest which uses the above Middleware. This example assumes you have an application you wish to serve on https://app.{{< sitevar name="domain" nojs="example.com" >}} and there is a Kubernetes Service with the name app in the default Namespace with TCP port 80 configured to route to the application Pod's HTTP port.

---
apiVersion: 'networking.k8s.io/v1'
kind: 'Ingress'
metadata:
  name: 'app'
  namespace: 'default'
  annotations:
    traefik.ingress.kubernetes.io/router.entryPoints: 'websecure' # name of your https entry point (default is 'websecure')
    traefik.ingress.kubernetes.io/router.middlewares: 'default-forwardauth-authelia@kubernetescrd' # name of your middleware, as defined in your middleware.yaml
    traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
  rules:
    - host: 'app.{{< sitevar name="domain" nojs="example.com" >}}'
      http:
        paths:
          - path: '/bar'
            pathType: 'Prefix'
            backend:
              service:
                name:  'app'
                port:
                  number: 80
...

IngressRoute

This is an example IngressRoute manifest which uses the above Middleware. This example assumes you have an application you wish to serve on https://app.{{< sitevar name="domain" nojs="example.com" >}} and there is a Kubernetes Service with the name app in the default Namespace with TCP port 80 configured to route to the application Pod's HTTP port.

---
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'IngressRoute'
metadata:
  name: 'app'
  namespace: 'default'
spec:
  entryPoints:
    - 'websecure'  # name of your https entry point (default is 'websecure')
  routes:
    - kind: 'Rule'
      match: 'Host(`app.{{< sitevar name="domain" nojs="example.com" >}}`)'
      middlewares:
        - name: 'forwardauth-authelia' # name of your middleware, as defined in your middleware.yaml
          namespace: 'default'
      services:
        - kind: 'Service'
          name: 'app'
          namespace: 'default'
          port: 80
          scheme: 'http'
          strategy: 'RoundRobin'
          weight: 10
...