traefik-forward-auth/examples/auth.yml

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-forward-auth
data:
  INSECURE_COOKIE: 'true'
  COOKIE_DOMAIN: whoami.hottis.de
  DOMAINS: whoami.hottis.de
  AUTH_HOST: auth.whoami.hottis.de
  URL_PATH: /_oauth
  DEFAULT_PROVIDER: oidc
  PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
  PROVIDERS_OIDC_CLIENT_ID: whoami
  REQUIRED_ROLE: whoami_access
# ---
# apiVersion: v1
# kind: Secret
# metadata:
#   name: traefik-forward-auth
# type: Opaque
# data:
#   PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
#   SECRET: PLACEHOLDER
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  template:
    metadata:
      labels:
        app: traefik-forward-auth
      annotations:
        container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
    spec:
      containers:
        - name: traefik-forward-auth
          #image: thomseddon/traefik-forward-auth
          image: wollud1969/traefik-forward-auth:3.0.0
          imagePullPolicy: Always
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
            runAsGroup: 65534
            capabilities:
              drop:
                - ALL
          livenessProbe:
            failureThreshold: 3
            tcpSocket:
              port: 4181
            initialDelaySeconds: 10
            periodSeconds: 10
          resources:
            limits:
              memory: '10Mi'
              cpu: '100m'
          ports:
            - containerPort: 4181
              protocol: TCP
          env:
            - name: PROVIDERS_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth
                  key: PROVIDERS_OIDC_CLIENT_SECRET
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth
                  key: SECRET
            - name: LOG_LEVEL
              value: trace
          envFrom:
            - configMapRef:
                name: traefik-forward-auth
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  type: ClusterIP
  selector:
    app: traefik-forward-auth
  ports:
  - name: auth-http
    port: 4181
    targetPort: 4181
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: auth-whoami-hottis-de
spec:
  secretName: auth-whoami-cert
  duration: 2160h
  renewBefore: 360h
  subject:
    organizations:
      - hottis-de
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
  dnsNames:
    - auth.whoami.hottis.de
  issuerRef:
    name: letsencrypt-production-http
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-forward-auth
  labels:
    app: traefik-forward-auth
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`auth.whoami.hottis.de`)
    kind: Rule
    services:
    - name: traefik-forward-auth
      port: 4181
  tls:
    secretName: auth-whoami-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-forward-auth
spec:
  forwardAuth:
    trustForwardHeader: true
    address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
    authResponseHeaders:
      - X-Forwarded-User
documentation 2023-11-07 09:59:46 +01:00			`---`
			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`name: traefik-forward-auth`
			`data:`
			`INSECURE_COOKIE: 'true'`
			`COOKIE_DOMAIN: whoami.hottis.de`
			`DOMAINS: whoami.hottis.de`
			`AUTH_HOST: auth.whoami.hottis.de`
			`URL_PATH: /_oauth`
			`DEFAULT_PROVIDER: oidc`
			`PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis`
			`PROVIDERS_OIDC_CLIENT_ID: whoami`
			`REQUIRED_ROLE: whoami_access`
			`# ---`
			`# apiVersion: v1`
			`# kind: Secret`
			`# metadata:`
			`# name: traefik-forward-auth`
			`# type: Opaque`
			`# data:`
			`# PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER`
			`# SECRET: PLACEHOLDER`
			`---`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: traefik-forward-auth`
			`labels:`
			`app: traefik-forward-auth`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: traefik-forward-auth`
			`template:`
			`metadata:`
			`labels:`
			`app: traefik-forward-auth`
			`annotations:`
			`container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default`
			`spec:`
			`containers:`
			`- name: traefik-forward-auth`
			`#image: thomseddon/traefik-forward-auth`
adjust for release 2023-11-07 10:18:49 +01:00			`image: wollud1969/traefik-forward-auth:3.0.0`
documentation 2023-11-07 09:59:46 +01:00			`imagePullPolicy: Always`
			`securityContext:`
			`readOnlyRootFilesystem: true`
			`runAsNonRoot: true`
			`runAsUser: 65534`
			`runAsGroup: 65534`
			`capabilities:`
			`drop:`
			`- ALL`
			`livenessProbe:`
			`failureThreshold: 3`
			`tcpSocket:`
			`port: 4181`
			`initialDelaySeconds: 10`
			`periodSeconds: 10`
			`resources:`
			`limits:`
			`memory: '10Mi'`
			`cpu: '100m'`
			`ports:`
			`- containerPort: 4181`
			`protocol: TCP`
			`env:`
			`- name: PROVIDERS_OIDC_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: traefik-forward-auth`
			`key: PROVIDERS_OIDC_CLIENT_SECRET`
			`- name: SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: traefik-forward-auth`
			`key: SECRET`
			`- name: LOG_LEVEL`
			`value: trace`
			`envFrom:`
			`- configMapRef:`
			`name: traefik-forward-auth`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`name: traefik-forward-auth`
			`labels:`
			`app: traefik-forward-auth`
			`spec:`
			`type: ClusterIP`
			`selector:`
			`app: traefik-forward-auth`
			`ports:`
			`- name: auth-http`
			`port: 4181`
			`targetPort: 4181`
			`---`
			`apiVersion: cert-manager.io/v1`
			`kind: Certificate`
			`metadata:`
			`name: auth-whoami-hottis-de`
			`spec:`
			`secretName: auth-whoami-cert`
			`duration: 2160h`
			`renewBefore: 360h`
			`subject:`
			`organizations:`
			`- hottis-de`
			`isCA: false`
			`privateKey:`
			`algorithm: RSA`
			`encoding: PKCS1`
			`size: 2048`
			`usages:`
			`- server auth`
			`dnsNames:`
			`- auth.whoami.hottis.de`
			`issuerRef:`
			`name: letsencrypt-production-http`
			`kind: ClusterIssuer`
			`group: cert-manager.io`
			`---`
			`apiVersion: traefik.containo.us/v1alpha1`
			`kind: IngressRoute`
			`metadata:`
			`name: traefik-forward-auth`
			`labels:`
			`app: traefik-forward-auth`
			`spec:`
			`entryPoints:`
			`- websecure`
			`routes:`
			- match: Host(`auth.whoami.hottis.de`)
			`kind: Rule`
			`services:`
			`- name: traefik-forward-auth`
			`port: 4181`
			`tls:`
			`secretName: auth-whoami-cert`
			`---`
			`apiVersion: traefik.containo.us/v1alpha1`
			`kind: Middleware`
			`metadata:`
			`name: traefik-forward-auth`
			`spec:`
			`forwardAuth:`
			`trustForwardHeader: true`
			`address: http://traefik-forward-auth.whoami.svc.cluster.local:4181`
			`authResponseHeaders:`
			`- X-Forwarded-User`