wn/traefik-forward-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

documentation

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2023-11-07 09:59:46 +01:00
parent e41e8e1a17
commit 2ddbb8576f
81 changed files with 290 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
examples/auth.yml Normal file
View File

@ -0,0 +1,155 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-forward-auth
data:
INSECURE_COOKIE: 'true'
COOKIE_DOMAIN: whoami.hottis.de
DOMAINS: whoami.hottis.de
AUTH_HOST: auth.whoami.hottis.de
URL_PATH: /_oauth
DEFAULT_PROVIDER: oidc
PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
PROVIDERS_OIDC_CLIENT_ID: whoami
REQUIRED_ROLE: whoami_access
# ---
# apiVersion: v1
# kind: Secret
# metadata:
# name: traefik-forward-auth
# type: Opaque
# data:
# PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
# SECRET: PLACEHOLDER
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
template:
metadata:
labels:
app: traefik-forward-auth
annotations:
container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
spec:
containers:
- name: traefik-forward-auth
#image: thomseddon/traefik-forward-auth
image: wollud1969/tfa:test18
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
capabilities:
drop:
- ALL
livenessProbe:
failureThreshold: 3
tcpSocket:
port: 4181
initialDelaySeconds: 10
periodSeconds: 10
resources:
limits:
memory: '10Mi'
cpu: '100m'
ports:
- containerPort: 4181
protocol: TCP
env:
- name: PROVIDERS_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth
key: PROVIDERS_OIDC_CLIENT_SECRET
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth
key: SECRET
- name: LOG_LEVEL
value: trace
envFrom:
- configMapRef:
name: traefik-forward-auth
---
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181
targetPort: 4181
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: auth-whoami-hottis-de
spec:
secretName: auth-whoami-cert
duration: 2160h
renewBefore: 360h
subject:
organizations:
- hottis-de
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
dnsNames:
- auth.whoami.hottis.de
issuerRef:
name: letsencrypt-production-http
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.whoami.hottis.de`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
tls:
secretName: auth-whoami-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
trustForwardHeader: true
address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
authResponseHeaders:
- X-Forwarded-User

24
examples/install.sh Executable file
View File

@ -0,0 +1,24 @@
#!/bin/bash
SECRET_CONFIG_DIR=~/Workspace/MyKubernetesEnv/secret-configuration
NAMESPACE=$(cat namespace)
SECRET=$(cat $SECRET_CONFIG_DIR/whoami-secret)
PROVIDERS_OIDC_CLIENT_SECRET=$(cat $SECRET_CONFIG_DIR/whoami-oidc-secret)
kubectl create namespace $NAMESPACE \
--dry-run=client \
-o yaml | \
kubectl -f - apply
kubectl create secret generic traefik-forward-auth \
--dry-run=client \
-o yaml \
--save-config \
--from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
--from-literal=SECRET="$SECRET" | \
kubectl apply -f - -n $NAMESPACE
kubectl -f auth.yml -n $NAMESPACE apply
kubectl -f install.yml -n $NAMESPACE apply

46
examples/traefik-v2/kubernetes/simple-separate-pod/k8s-app.yml → examples/install.yml
View File

@ -1,6 +1,3 @@
#
# Example Application Deployment
#
apiVersion: apps/v1
kind: Deployment
metadata:
@ -18,12 +15,9 @@ spec:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
- image: containous/whoami
name: whoami
---
#
# Service
#
apiVersion: v1
kind: Service
metadata:
@ -31,16 +25,38 @@ metadata:
labels:
app: whoami
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: whoami
---
#
# IngressRoute
#
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: whoami-hottis-de
spec:
secretName: whoami-cert
duration: 2160h
renewBefore: 360h
subject:
organizations:
- hottis-de
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
dnsNames:
- whoami.hottis.de
issuerRef:
name: letsencrypt-production-http
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
@ -49,12 +65,14 @@ metadata:
app: whoami
spec:
entryPoints:
- http
- websecure
routes:
- match: Host(`whoami.example.com`)
- match: Host(`whoami.hottis.de`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: traefik-forward-auth
tls:
secretName: whoami-cert

2
examples/namespace Normal file
View File

@ -0,0 +1,2 @@
whoami

10
examples/traefik-v1.7/kubernetes/README.md
View File

@ -1,10 +0,0 @@
# Kubernetes
These examples show how to deploy traefik-forward-auth alongside traefik v1.7.
The "seperate pod" examples show traefik-forward-auth in it's own pod and leave the deployment of traefik as an exercise for the user (e.g. if using helm).
The "single pod" examples show traefik and traefik-forward-auth in a single pod.
Please see the README's in each example for more details.

16
examples/traefik-v1.7/kubernetes/advanced-separate-pod/README.md
View File

@ -1,16 +0,0 @@
# Kubernetes - Advanced Separate Pod Example
This is an advanced example of how to deploy traefik-forward-auth in it's own pod. This example is a good starting point for those who already have traefik deployed (e.g. using helm).
This example uses [Selective Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#selective-ingress-authentication-in-kubernetes) to selectively apply forward authentication to each selective ingress, a simple example "whoami" application (deployment, service and ingress) is included for completeness.
This example leverages kustomise to define Secrets and ConfigMaps, example deployment:
```
# Deploy traefik-forward-auth
kubectl apply -k traefik-forward-auth
# Deploy example whoami app
kubectl apply -k whoami
```

3
examples/traefik-v1.7/kubernetes/advanced-separate-pod/kustomization.yaml
View File

@ -1,3 +0,0 @@
bases:
- traefik-forward-auth
- whoami

68
examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/deployment.yaml
View File

@ -1,68 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
- name: DOMAIN
value: "example.com"
# INSECURE_COOKIE is required unless using https entrypoint
- name: INSECURE_COOKIE
value: "true"
# Remove COOKIE_DOMAIN if not using auth host mode
- name: COOKIE_DOMAIN
value: "example.com"
# Remove AUTH_HOST if not using auth host mode
- name: AUTH_HOST
value: "auth.example.com"
- name: LOG_LEVEL
value: "info"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: configs
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: configs
configMap:
name: configs
- name: traefik-forward-auth-secrets
secret:
secretName: secrets

22
examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml
View File

@ -1,22 +0,0 @@
#
# NOTE: This is only needed if you are using auth-host mode
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: http://traefik-forward-auth:4181
ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
spec:
rules:
- host: auth.example.com
http:
paths:
- backend:
serviceName: traefik-forward-auth
servicePort: auth-http

22
examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/kustomization.yaml
View File

@ -1,22 +0,0 @@
commonLabels:
app: traefik-forward-auth
resources:
- deployment.yaml
- service.yaml
- ingress.yaml # Only needed for auth-host mode
#
# Configs
#
configMapGenerator:
- name: configs
files:
- traefik-forward-auth.ini
#
# Secrets
#
secretGenerator:
- name: traefik-forward-auth-secrets
env: traefik-forward-auth.env

14
examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/service.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181
targetPort: 4181

3
examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/traefik-forward-auth.env
View File

@ -1,3 +0,0 @@
google-client-id=client-id
google-client-secret=client-secret
secret=something-random

8
examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/traefik-forward-auth.ini
View File

@ -1,8 +0,0 @@
rule.example_public.action=allow
rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public")
rule.example_api.action=allow
rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key")
rule.example_api_query.action=allow
rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key")

19
examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/deployment.yaml
View File

@ -1,19 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- image: containous/whoami
name: whoami

19
examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/ingress.yaml
View File

@ -1,19 +0,0 @@
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: whoami
labels:
app: whoami
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: http://traefik-forward-auth:4181
ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
spec:
rules:
- host: whoami.example.com
http:
paths:
- backend:
serviceName: whoami
servicePort: http

7
examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/kustomization.yaml
View File

@ -1,7 +0,0 @@
commonLabels:
app: whoami
resources:
- deployment.yaml
- service.yaml
- ingress.yaml

14
examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/service.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: whoami

18
examples/traefik-v1.7/kubernetes/advanced-single-pod/README.md
View File

@ -1,18 +0,0 @@
# Kubernetes - Advanced Single Pod Example
This is an advanced example of how to deploy traefik and traefik-forward-auth in a single pod. This example is a good starting point for those who already have a manually defined traefik config (e.g. not using helm).
This example uses [Global Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#global-authentication) to apply authentication for the entire `https` entrypoint.
This example also includes SSL via traefik acme/lesencrypt, auth host mode, exposes the traefik dashboard and leverages kustomise. No special config if required for your applications, but a simple example "whoami" application (deployment, service and ingress) is included for completeness.
Example deployment:
```
# Deploy traefik+traefik-forward-auth
kubectl apply -k traefik
# Deploy whoami app
kubectl apply -k whoami
```

3
examples/traefik-v1.7/kubernetes/advanced-single-pod/kustomization.yaml
View File

@ -1,3 +0,0 @@
bases:
- traefik
- whoami

8
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/configs/traefik-forward-auth.ini
View File

@ -1,8 +0,0 @@
rule.example_public.action=allow
rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public")
rule.example_api.action=allow
rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key")
rule.example_api_query.action=allow
rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key")

169
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/configs/traefik.toml
View File

@ -1,169 +0,0 @@
################################################################
# Global configuration
################################################################
# Enable debug mode
#
# Optional
# Default: false
#
# debug = true
# Log level
#
# Optional
# Default: "ERROR"
#
logLevel = "INFO"
# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]
# If set to true invalid SSL certificates are accepted for backends.
# This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
#
# Optional
# Default: false
#
insecureSkipVerify = true
################################################################
# Entrypoints configuration
################################################################
# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[entryPoints.https.auth.forward]
address = "http://127.0.0.1:4181"
authResponseHeaders = ["X-Forwarded-User"]
[entryPoints.traefik]
address = ":8080"
################################################################
# Traefik logs configuration
################################################################
# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
[traefikLog]
format = "json"
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath = "log/traefik.log"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"
################################################################
# Access logs configuration
################################################################
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
# [accessLog]
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath = "/path/to/log/log.txt"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"
################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
[api]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
# entryPoint = "traefik"
# Enabled Dashboard
#
# Optional
# Default: true
#
# dashboard = false
################################################################
# Ping configuration
################################################################
# Enable ping
[ping]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
# entryPoint = "traefik"
################################################################
# Docker configuration backend
################################################################
# Enable Kubernetes configuration backend
[kubernetes]
[acme]
KeyType = "RSA4096"
email = "you@example.com"
storage = "/acme/acme.json"
entryPoint = "https"
onHostRule = true
acmeLogging = true
[acme.httpChallenge]
entryPoint = "http"

94
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/deployment.yaml
View File

@ -1,94 +0,0 @@
#
# Traefik + Traefik Forward Auth Deployment
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
containers:
- image: traefik:1.7.12
name: traefik
args:
- --configfile=/config/traefik.toml
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: dash
containerPort: 8080
protocol: TCP
volumeMounts:
- mountPath: /config
name: configs
- mountPath: /acme
name: acme
- image: thomseddon/traefik-forward-auth:2
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
- name: DOMAIN
value: "example.com"
# INSECURE_COOKIE is required if not using a https entrypoint
# - name: INSECURE_COOKIE
# value: "true"
# Remove COOKIE_DOMAIN if not using auth host mode
- name: COOKIE_DOMAIN
value: "example.com"
- name: AUTH_HOST
value: "auth.example.com"
- name: LOG_LEVEL
value: "info"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: configs
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: configs
configMap:
name: configs
- name: traefik-forward-auth-secrets
secret:
secretName: secrets
- name: acme
persistentVolumeClaim:
claimName: traefik-acme

36
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/ingress.yaml
View File

@ -1,36 +0,0 @@
#
# Auth Ingress
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
rules:
- host: auth.example.com
http:
paths:
- backend:
serviceName: traefik-forward-auth
servicePort: auth-http
---
#
# Dash Ingress
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-dashboard
labels:
app: traefik
spec:
rules:
- host: traefik.example.com
http:
paths:
- backend:
serviceName: traefik-dashboard
servicePort: dashboard-http

28
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/kustomization.yaml
View File

@ -1,28 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
commonLabels:
app: traefik
resources:
- deployment.yaml
- service.yaml
- ingress.yaml
- pvc.yaml
- rbac.yaml
#
# Configs
#
configMapGenerator:
- name: configs
files:
- configs/traefik.toml
- configs/traefik-forward-auth.ini
#
# Secrets
#
secretGenerator:
- name: traefik-forward-auth-secrets
env: secrets/traefik-forward-auth.env

17
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/pvc.yaml
View File

@ -1,17 +0,0 @@
# Source: traefik/templates/acme-pvc.yaml
#
# PVC
#
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: traefik-acme
labels:
app: traefik
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "1Gi"
storageClassName: "local-traefik-acme"

52
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/rbac.yaml
View File

@ -1,52 +0,0 @@
#
# RBAC
# Source: traefik/templates/rbac.yaml
#
kind: ServiceAccount
apiVersion: v1
metadata:
name: traefik
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik
subjects:
- kind: ServiceAccount
name: traefik
namespace: kube-system

3
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/secrets/traefik-forward-auth.env
View File

@ -1,3 +0,0 @@
google-client-id=client-id
google-client-secret=client-secret
secret=something-random

58
examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/service.yaml
View File

@ -1,58 +0,0 @@
#
# Traefik Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik
labels:
app: traefik
spec:
# Use NodePort if required
type: LoadBalancer
selector:
app: traefik
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
---
#
# Auth Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
type: ClusterIP
selector:
app: traefik
ports:
- name: auth-http
port: 4181
targetPort: 4181
---
#
# Dash Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard
labels:
app: traefik
spec:
type: ClusterIP
selector:
app: traefik
ports:
- name: dashboard-http
port: 8080
targetPort: 8080

19
examples/traefik-v1.7/kubernetes/advanced-single-pod/whoami/deployment.yaml
View File

@ -1,19 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- image: containous/whoami
name: whoami

16
examples/traefik-v1.7/kubernetes/advanced-single-pod/whoami/ingress.yaml
View File

@ -1,16 +0,0 @@
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: whoami
labels:
app: whoami
annotations:
kubernetes.io/ingress.class: traefik
spec:
rules:
- host: whoami.example.com
http:
paths:
- backend:
serviceName: whoami
servicePort: http

7
examples/traefik-v1.7/kubernetes/advanced-single-pod/whoami/kustomization.yaml
View File

@ -1,7 +0,0 @@
commonLabels:
app: whoami
resources:
- deployment.yaml
- service.yaml
- ingress.yaml

14
examples/traefik-v1.7/kubernetes/advanced-single-pod/whoami/service.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: whoami

43
examples/traefik-v1.7/kubernetes/simple-separate-pod/README.md
View File

@ -1,43 +0,0 @@
# Kubernetes - Simple Separate Pod Example
This is a simple example of how to deploy traefik-forward-auth in it's own pod with minimal configuration. This example is a good starting point for those who already have traefik deployed (e.g. using helm).
This example uses annotations to apply authentication to selected ingresses (see `k8s-app.yml`). This means ingresses will not be protected by default, only those with these annotations will require forward authentication. For example:
```
#
# Ingress
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: whoami
labels:
app: whoami
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: http://traefik-forward-auth:4181
ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
spec:
rules:
- host: whoami.example.com
http:
paths:
- backend:
serviceName: whoami
servicePort: http
```
Example deployment:
```
# Deploy traefik-forward-auth
kubectl apply -f k8s-traefik-forward-auth.yml
# Deploy example whoami app
kubectl apply -f k8s-app.yml
```
Please see the advanced examples for more details.

62
examples/traefik-v1.7/kubernetes/simple-separate-pod/k8s-app.yml
View File

@ -1,62 +0,0 @@
#
# Example Application Deployment
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
---
#
# Service
#
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
ports:
- name: http
port: 80
selector:
app: whoami
---
#
# Ingress
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: whoami
labels:
app: whoami
annotations:
kubernetes.io/ingress.class: traefik
ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: http://traefik-forward-auth:4181
ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
spec:
rules:
- host: whoami.example.com
http:
paths:
- backend:
serviceName: whoami
servicePort: http

90
examples/traefik-v1.7/kubernetes/simple-separate-pod/k8s-traefik-forward-auth.yml
View File

@ -1,90 +0,0 @@
#
# Traefik Forward Auth Deployment
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: DOMAIN
value: "example.com"
# INSECURE_COOKIE is required unless using https entrypoint
- name: INSECURE_COOKIE
value: "true"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: traefik-forward-auth-google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: traefik-forward-auth-google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: traefik-forward-auth-secret
---
#
# Auth Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181
targetPort: 4181
---
#
# Secrets
#
# Kubernetes requires secret values to be converted to base64 when defined
# explicitly like this. (use `echo -n 'secret-value' | base64`)
#
# These are here for completeness, in reality you may define these elsewhere,
# for example using kustomize (shown in advanced examples)
#
apiVersion: v1
kind: Secret
metadata:
name: traefik-forward-auth-secrets
labels:
app: traefik-forward-auth
type: Opaque
data:
traefik-forward-auth-google-client-id: base64-client-id
traefik-forward-auth-google-client-secret: base64-client-secret
traefik-forward-auth-secret: base64-something-random

44
examples/traefik-v1.7/swarm/docker-compose-auth-host.yml
View File

@ -1,44 +0,0 @@
version: '3'
services:
traefik:
image: traefik
command: -c /traefik.toml --logLevel=DEBUG
ports:
- "8085:80"
- "8086:8080"
networks:
- traefik
volumes:
- ./traefik.toml:/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
whoami1:
image: containous/whoami
networks:
- traefik
labels:
- "traefik.backend=whoami"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:whoami.yourdomain.com"
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
- PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
- SECRET=something-random
- INSECURE_COOKIE=true
- DOMAIN=yourcompany.com
- AUTH_HOST=auth.yourdomain.com
networks:
- traefik
# When using an auth host, the below must be added
labels:
- traefik.enable=true
- traefik.port=4181
- traefik.backend=traefik-forward-auth
- traefik.frontend.rule=Host:auth.yourdomain.com
networks:
traefik:

40
examples/traefik-v1.7/swarm/docker-compose-oidc.yml
View File

@ -1,40 +0,0 @@
version: '3'
services:
traefik:
image: traefik:1.7
command: -c /traefik.toml
ports:
- "8085:80"
- "8086:8080"
networks:
- traefik
volumes:
- ./traefik.toml:/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
whoami1:
image: containous/whoami
networks:
- traefik
labels:
- "traefik.backend=whoami"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:whoami.localhost.com"
traefik-forward-auth:
build: thomseddon/traefik-forward-auth:2
environment:
- DEFAULT_PROVIDER=oidc
- PROVIDERS_OIDC_ISSUER_URL=https://login.microsoftonline.com/{tenant}
- PROVIDERS_OIDC_CLIENT_ID=your-client-id
- PROVIDERS_OIDC_CLIENT_SECRET=your-client-secret
- SECRET=something-random
- INSECURE_COOKIE=true
- DOMAIN=yourcompany.com
- LOG_LEVEL=debug
networks:
- traefik
networks:
traefik:

39
examples/traefik-v1.7/swarm/docker-compose.yml
View File

@ -1,39 +0,0 @@
version: '3'
services:
traefik:
image: traefik:1.7
command: -c /traefik.toml --logLevel=DEBUG
ports:
- "8085:80"
- "8086:8080"
networks:
- traefik
volumes:
- ./traefik.toml:/traefik.toml
- /var/run/docker.sock:/var/run/docker.sock
whoami1:
image: containous/whoami
networks:
- traefik
labels:
- "traefik.backend=whoami"
- "traefik.enable=true"
- "traefik.frontend.rule=Host:whoami.localhost.com"
traefik-forward-auth:
build: thomseddon/traefik-forward-auth:2
command: ./traefik-forward-auth --rule.1.action=allow --rule.1.rule="Path(`/public`)"
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
- PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
- SECRET=something-random
- INSECURE_COOKIE=true
- DOMAIN=yourcompany.com
- LOG_LEVEL=debug
networks:
- traefik
networks:
traefik:

138
examples/traefik-v1.7/swarm/traefik.toml
View File

@ -1,138 +0,0 @@
################################################################
# Global configuration
################################################################
# Enable debug mode
#
# Optional
# Default: false
#
# debug = true
# Log level
#
# Optional
# Default: "ERROR"
#
# logLevel = "DEBUG"
# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
# defaultEntryPoints = ["http", "https"]
################################################################
# Entrypoints configuration
################################################################
# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.auth.forward]
address = "http://traefik-forward-auth:4181"
authResponseHeaders = ["X-Forwarded-User"]
################################################################
# Traefik logs configuration
################################################################
# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
# [traefikLog]
# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath = "log/traefik.log"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"
################################################################
# Access logs configuration
################################################################
# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
# [accessLog]
# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath = "/path/to/log/log.txt"
# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"
################################################################
# API and dashboard configuration
################################################################
# Enable API and dashboard
[api]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
# entryPoint = "traefik"
# Enabled Dashboard
#
# Optional
# Default: true
#
# dashboard = false
################################################################
# Ping configuration
################################################################
# Enable ping
[ping]
# Name of the related entry point
#
# Optional
# Default: "traefik"
#
# entryPoint = "traefik"
################################################################
# Docker configuration backend
################################################################
# Enable Docker configuration backend
[docker]
exposedByDefault = false
network = "traefik"

39
examples/traefik-v2/kubernetes/advanced-separate-pod/README.md
View File

@ -1,39 +0,0 @@
# Kubernetes - Advanced Separate Pod Example
This is an advanced example of how to deploy traefik-forward-auth in it's own pod. This example is a good starting point for those who already have traefik deployed (e.g. using helm).
This example uses [Selective Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#selective-ingress-authentication-in-kubernetes) to selectively apply forward authentication to each selective ingresses, for example:
```
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
labels:
app: whoami
spec:
entryPoints:
- https
routes:
- match: Host(`whoami.example.com`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: traefik-forward-auth
tls:
certresolver: default
```
This example also includes SSL via traefik acme/lesencrypt, auth host mode, and leverages kustomise. A simple example "whoami" application (deployment, service and ingress) is included for completeness.
Example deployment:
```
# Deploy traefik-forward-auth
kubectl apply -k traefik-forward-auth
# Deploy example whoami app
kubectl apply -k whoami
```

3
examples/traefik-v2/kubernetes/advanced-separate-pod/kustomization.yaml
View File

@ -1,3 +0,0 @@
bases:
- traefik-forward-auth
- whoami

8
examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/configs/traefik-forward-auth.ini
View File

@ -1,8 +0,0 @@
rule.example_public.action=allow
rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public")
rule.example_api.action=allow
rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key")
rule.example_api_query.action=allow
rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key")

71
examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/deployment.yaml
View File

@ -1,71 +0,0 @@
#
# Traefik Forward Auth Deployment
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
- name: DOMAIN
value: "example.com"
# INSECURE_COOKIE is required if not using a https entrypoint
# - name: INSECURE_COOKIE
# value: "true"
# Remove COOKIE_DOMAIN if not using auth host mode
- name: COOKIE_DOMAIN
value: "example.com"
- name: AUTH_HOST
value: "auth.example.com"
- name: LOG_LEVEL
value: "info"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: configs
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: configs
configMap:
name: configs
- name: traefik-forward-auth-secrets
secret:
secretName: traefik-forward-auth-secrets

20
examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml
View File

@ -1,20 +0,0 @@
#
# Auth Ingress
#
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
entryPoints:
- https
routes:
- match: Host(`auth.example.com`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
tls:
certresolver: default

26
examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/kustomization.yaml
View File

@ -1,26 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
commonLabels:
app: traefik-forward-auth
resources:
- deployment.yaml
- service.yaml
- ingress.yaml
- middleware.yaml
#
# Configs
#
configMapGenerator:
- name: configs
files:
- configs/traefik-forward-auth.ini
#
# Secrets
#
secretGenerator:
- name: traefik-forward-auth-secrets
env: secrets/traefik-forward-auth.env

9
examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/middleware.yaml
View File

@ -1,9 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
address: http://traefik-forward-auth:4181
authResponseHeaders:
- X-Forwarded-User

3
examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/secrets/traefik-forward-auth.env
View File

@ -1,3 +0,0 @@
google-client-id=client-id
google-client-secret=client-secret
secret=something-random

17
examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/service.yaml
View File

@ -1,17 +0,0 @@
#
# Auth Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
type: ClusterIP
selector:
app: traefik
ports:
- name: auth-http
port: 4181
targetPort: 4181

19
examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/deployment.yaml
View File

@ -1,19 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- image: containous/whoami
name: whoami

19
examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/ingress.yaml
View File

@ -1,19 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
labels:
app: whoami
spec:
entryPoints:
- https
routes:
- match: Host(`whoami.example.com`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: traefik-forward-auth
tls:
certresolver: default

7
examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/kustomization.yaml
View File

@ -1,7 +0,0 @@
commonLabels:
app: whoami
resources:
- deployment.yaml
- service.yaml
- ingress.yaml

14
examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/service.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: whoami

18
examples/traefik-v2/kubernetes/advanced-single-pod/README.md
View File

@ -1,18 +0,0 @@
# Kubernetes - Advanced Single Pod Example
This is an advanced example of how to deploy traefik and traefik-forward-auth in a single pod. This example is a good starting point for those who already have a manually defined traefik config (e.g. not using helm).
This example uses [Global Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#global-authentication) to apply authentication for the entire `https` entrypoint.
This example also includes SSL via traefik acme/lesencrypt, auth host mode, exposes the traefik dashboard and leverages kustomise. No special config if required for your applications, but a simple example "whoami" application (deployment, service and ingress) is included for completeness.
Example deployment:
```
# Deploy traefik+traefik-forward-auth
kubectl apply -k traefik
# Deploy whoami app
kubectl apply -k whoami
```

3
examples/traefik-v2/kubernetes/advanced-single-pod/kustomization.yaml
View File

@ -1,3 +0,0 @@
bases:
- traefik
- whoami

8
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/configs/traefik-forward-auth.ini
View File

@ -1,8 +0,0 @@
rule.example_public.action=allow
rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public")
rule.example_api.action=allow
rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key")
rule.example_api_query.action=allow
rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key")

103
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/crds.yaml
View File

@ -1,103 +0,0 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutes.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRoute
plural: ingressroutes
singular: ingressroute
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: middlewares.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: Middleware
plural: middlewares
singular: middleware
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressroutetcps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteTCP
plural: ingressroutetcps
singular: ingressroutetcp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: ingressrouteudps.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: IngressRouteUDP
plural: ingressrouteudps
singular: ingressrouteudp
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsoptions.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSOption
plural: tlsoptions
singular: tlsoption
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: tlsstores.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TLSStore
plural: tlsstores
singular: tlsstore
scope: Namespaced
---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: traefikservices.traefik.containo.us
spec:
group: traefik.containo.us
version: v1alpha1
names:
kind: TraefikService
plural: traefikservices
singular: traefikservice
scope: Namespaced

110
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/deployment.yaml
View File

@ -1,110 +0,0 @@
#
# Traefik + Traefik Forward Auth Deployment
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
containers:
- image: traefik:2.2
name: traefik
args:
- --api.dashboard
- --accesslog
- --entryPoints.http.address=:80
- --entryPoints.http.http.redirections.entryPoint.to=https
- --entryPoints.http.http.redirections.entryPoint.scheme=https
- --entryPoints.https.address=:443
# We're using "global authentication", so the middleware is defined here on the entrypoint
# When a kubernetescrd middleware is applied globally it should take the form <kubernetes-namespace>-<middleware>
- --entrypoints.https.http.middlewares=default-traefik-forward-auth
- --providers.kubernetescrd
- --log.level=info
- --log.format=json
- --certificatesresolvers.default.acme.email=foo@you.com
- --certificatesresolvers.default.acme.storage=/acme/acme.json
- --certificatesresolvers.default.acme.storage=/acme/acme.json
- --certificatesresolvers.default.acme.httpchallenge.entrypoint=http
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
- name: dash
containerPort: 8080
protocol: TCP
volumeMounts:
- mountPath: /acme
name: acme
- image: thomseddon/traefik-forward-auth:2
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: CONFIG
value: "/config"
- name: DOMAIN
value: "example.com"
# INSECURE_COOKIE is required if not using a https entrypoint
# - name: INSECURE_COOKIE
# value: "true"
# Remove COOKIE_DOMAIN if not using auth host mode
- name: COOKIE_DOMAIN
value: "example.com"
- name: AUTH_HOST
value: "auth.example.com"
- name: LOG_LEVEL
value: "info"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: secret
volumeMounts:
- name: configs
mountPath: /config
subPath: traefik-forward-auth.ini
volumes:
- name: configs
configMap:
name: configs
- name: traefik-forward-auth-secrets
secret:
secretName: traefik-forward-auth-secrets
- name: acme
persistentVolumeClaim:
claimName: traefik-acme

42
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/ingress.yaml
View File

@ -1,42 +0,0 @@
#
# Auth Ingress
#
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
entryPoints:
- https
routes:
- match: Host(`auth.example.com`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
tls:
certresolver: default
---
#
# Dash Ingress
#
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
labels:
app: traefik
spec:
entryPoints:
- https
routes:
- match: Host(`traefik.example.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls:
certresolver: default

29
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/kustomization.yaml
View File

@ -1,29 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
commonLabels:
app: traefik
resources:
- crds.yaml
- deployment.yaml
- service.yaml
- ingress.yaml
- middleware.yaml
- pvc.yaml
- rbac.yaml
#
# Configs
#
configMapGenerator:
- name: configs
files:
- configs/traefik-forward-auth.ini
#
# Secrets
#
secretGenerator:
- name: traefik-forward-auth-secrets
env: secrets/traefik-forward-auth.env

9
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/middleware.yaml
View File

@ -1,9 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
address: http://127.0.0.1:4181
authResponseHeaders:
- X-Forwarded-User

17
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/pvc.yaml
View File

@ -1,17 +0,0 @@
# Source: traefik/templates/acme-pvc.yaml
#
# PVC
#
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: traefik-acme
labels:
app: traefik
spec:
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: "1Gi"
storageClassName: "local-traefik-acme"

66
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/rbac.yaml
View File

@ -1,66 +0,0 @@
#
# RBAC
#
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- middlewares
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default

3
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/secrets/traefik-forward-auth.env
View File

@ -1,3 +0,0 @@
google-client-id=client-id
google-client-secret=client-secret
secret=something-random

39
examples/traefik-v2/kubernetes/advanced-single-pod/traefik/service.yaml
View File

@ -1,39 +0,0 @@
#
# Traefik Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik
labels:
app: traefik
spec:
# Use NodePort if required
type: LoadBalancer
selector:
app: traefik
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
---
#
# Auth Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik
spec:
type: ClusterIP
selector:
app: traefik
ports:
- name: auth-http
port: 4181
targetPort: 4181

19
examples/traefik-v2/kubernetes/advanced-single-pod/whoami/deployment.yaml
View File

@ -1,19 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
app: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- image: containous/whoami
name: whoami

17
examples/traefik-v2/kubernetes/advanced-single-pod/whoami/ingress.yaml
View File

@ -1,17 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
labels:
app: whoami
spec:
entryPoints:
- https
routes:
- match: Host(`whoami.example.com`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certresolver: default

7
examples/traefik-v2/kubernetes/advanced-single-pod/whoami/kustomization.yaml
View File

@ -1,7 +0,0 @@
commonLabels:
app: whoami
resources:
- deployment.yaml
- service.yaml
- ingress.yaml

14
examples/traefik-v2/kubernetes/advanced-single-pod/whoami/service.yaml
View File

@ -1,14 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: whoami
labels:
app: whoami
spec:
type: ClusterIP
ports:
- name: http
port: 80
selector:
app: whoami

39
examples/traefik-v2/kubernetes/simple-separate-pod/README.md
View File

@ -1,39 +0,0 @@
# Kubernetes - Simple Separate Pod Example
This is a simple example of how to deploy traefik-forward-auth in it's own pod with minimal configuration. This example is a good starting point for those who already have traefik deployed (e.g. using helm).
This example uses [Selective Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#selective-ingress-authentication-in-kubernetes) to apply forward authentication to selected ingresses. This means ingresses will not be protected by default. Authentication can be applied by adding the `traefik-forward-auth` middleware, for example:
```
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami
labels:
app: whoami
spec:
entryPoints:
- http
routes:
- match: Host(`whoami.example.com`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: traefik-forward-auth
```
A minimal application example is provided in `k8s-app.yml`.
Example deployment:
```
# Deploy traefik-forward-auth
kubectl apply -f k8s-traefik-forward-auth.yml
# Deploy example whoami app
kubectl apply -f k8s-app.yml
```
Please see the advanced examples for more details.

104
examples/traefik-v2/kubernetes/simple-separate-pod/k8s-traefik-forward-auth.yml
View File

@ -1,104 +0,0 @@
#
# Traefik Forward Auth Deployment
#
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
strategy:
type: Recreate
template:
metadata:
labels:
app: traefik-forward-auth
spec:
terminationGracePeriodSeconds: 60
containers:
- image: thomseddon/traefik-forward-auth:2
name: traefik-forward-auth
ports:
- containerPort: 4181
protocol: TCP
env:
- name: DOMAIN
value: "example.com"
# INSECURE_COOKIE is required unless using https entrypoint
- name: INSECURE_COOKIE
value: "true"
- name: PROVIDERS_GOOGLE_CLIENT_ID
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: traefik-forward-auth-google-client-id
- name: PROVIDERS_GOOGLE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: traefik-forward-auth-google-client-secret
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth-secrets
key: traefik-forward-auth-secret
---
#
# Auth Service
#
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181
targetPort: 4181
---
#
# Auth Middleware
#
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
address: http://traefik-forward-auth:4181
authResponseHeaders:
- X-Forwarded-User
---
#
# Secrets
#
# Kubernetes requires secret values to be converted to base64 when defined
# explicitly like this. (use `echo -n 'secret-value' | base64`)
#
# These are here for completeness, in reality you may define these elsewhere,
# for example using kustomize (shown in advanced examples)
#
apiVersion: v1
kind: Secret
metadata:
name: traefik-forward-auth-secrets
labels:
app: traefik-forward-auth
type: Opaque
data:
traefik-forward-auth-google-client-id: base64-client-id
traefik-forward-auth-google-client-secret: base64-client-secret
traefik-forward-auth-secret: base64-something-random

37
examples/traefik-v2/swarm/docker-compose-auth-host.yml
View File

@ -1,37 +0,0 @@
version: '3'
services:
traefik:
image: traefik:v2.2
command:
- --providers.docker
# This example uses "global authentication"
- --entryPoints.http.address=:80
- --entrypoints.http.http.middlewares=traefik-forward-auth
ports:
- "8085:80"
- "8086:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
whoami:
image: containous/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost.com`)"
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
- PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
- SECRET=something-random
# INSECURE_COOKIE is required if not using a https entrypoint
- INSECURE_COOKIE=true
- COOKIE_DOMAIN=localhost.com
- AUTH_HOST=auth.localhost.com:8085
- LOG_LEVEL=debug
labels:
- "traefik.http.routers.traefik-forward-auth.rule=Host(`auth.localhost.com`)"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"

34
examples/traefik-v2/swarm/docker-compose-oidc.yml
View File

@ -1,34 +0,0 @@
version: '3'
services:
traefik:
image: traefik:v2.2
command: --providers.docker
ports:
- "8085:80"
- "8086:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
whoami:
image: containous/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost.com`)"
- "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2
environment:
- DEFAULT_PROVIDER=oidc
- PROVIDERS_OIDC_ISSUER_URL=https://login.microsoftonline.com/{tenant}
- PROVIDERS_OIDC_CLIENT_ID=your-client-id
- PROVIDERS_OIDC_CLIENT_SECRET=your-client-secret
- SECRET=something-random
# INSECURE_COOKIE is required if not using a https entrypoint
- INSECURE_COOKIE=true
- LOG_LEVEL=debug
labels:
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"

32
examples/traefik-v2/swarm/docker-compose.yml
View File

@ -1,32 +0,0 @@
version: '3'
services:
traefik:
image: traefik:v2.2
command: --providers.docker
ports:
- "8085:80"
- "8086:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
whoami:
image: containous/whoami
labels:
- "traefik.http.routers.whoami.rule=Host(`whoami.localhost.com`)"
# This example uses "Selective Authentication"
- "traefik.http.routers.whoami.middlewares=traefik-forward-auth"
traefik-forward-auth:
image: thomseddon/traefik-forward-auth:2
environment:
- PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
- PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
- SECRET=something-random
# INSECURE_COOKIE is required if not using a https entrypoint
- INSECURE_COOKIE=true
- LOG_LEVEL=debug
labels:
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
- "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
- "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"