documentation

examples-thomseddon/traefik-v2/kubernetes/simple-separate-pod/README.md

@@ -0,0 +1,39 @@
+
+# Kubernetes - Simple Separate Pod Example
+
+This is a simple example of how to deploy traefik-forward-auth in it's own pod with minimal configuration. This example is a good starting point for those who already have traefik deployed (e.g. using helm).
+
+This example uses [Selective Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#selective-ingress-authentication-in-kubernetes) to apply forward authentication to selected ingresses. This means ingresses will not be protected by default. Authentication can be applied by adding the `traefik-forward-auth` middleware, for example:
+
+```
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  entryPoints:
+    - http
+  routes:
+  - match: Host(`whoami.example.com`)
+    kind: Rule
+    services:
+      - name: whoami
+        port: 80
+    middlewares:
+      - name: traefik-forward-auth
+```
+
+A minimal application example is provided in `k8s-app.yml`.
+
+Example deployment:
+```
+# Deploy traefik-forward-auth
+kubectl apply -f k8s-traefik-forward-auth.yml
+
+# Deploy example whoami app
+kubectl apply -f k8s-app.yml
+```
+
+Please see the advanced examples for more details.

examples-thomseddon/traefik-v2/kubernetes/simple-separate-pod/k8s-app.yml

@@ -0,0 +1,60 @@
+#
+# Example Application Deployment
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+      - name: whoami
+        image: containous/whoami
+---
+#
+# Service
+#
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: whoami
+
+---
+#
+# IngressRoute
+#
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  entryPoints:
+    - http
+  routes:
+  - match: Host(`whoami.example.com`)
+    kind: Rule
+    services:
+      - name: whoami
+        port: 80
+    middlewares:
+      - name: traefik-forward-auth

examples-thomseddon/traefik-v2/kubernetes/simple-separate-pod/k8s-traefik-forward-auth.yml

@@ -0,0 +1,104 @@
+#
+# Traefik Forward Auth Deployment
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: thomseddon/traefik-forward-auth:2
+        name: traefik-forward-auth
+        ports:
+        - containerPort: 4181
+          protocol: TCP
+        env:
+        - name: DOMAIN
+          value: "example.com"
+        # INSECURE_COOKIE is required unless using https entrypoint
+        - name: INSECURE_COOKIE
+          value: "true"
+        - name: PROVIDERS_GOOGLE_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: traefik-forward-auth-google-client-id
+        - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: traefik-forward-auth-google-client-secret
+        - name: SECRET
+          valueFrom:
+            secretKeyRef:
+              name: traefik-forward-auth-secrets
+              key: traefik-forward-auth-secret
+
+---
+#
+# Auth Service
+#
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik-forward-auth
+  ports:
+  - name: auth-http
+    port: 4181
+    targetPort: 4181
+
+---
+#
+# Auth Middleware
+#
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth:4181
+    authResponseHeaders:
+      - X-Forwarded-User
+
+---
+#
+# Secrets
+#
+# Kubernetes requires secret values to be converted to base64 when defined
+# explicitly like this. (use `echo -n 'secret-value' | base64`)
+#
+# These are here for completeness, in reality you may define these elsewhere,
+# for example using kustomize (shown in advanced examples)
+#
+apiVersion: v1
+kind: Secret
+metadata:
+  name: traefik-forward-auth-secrets
+  labels:
+    app: traefik-forward-auth
+type: Opaque
+data:
+  traefik-forward-auth-google-client-id: base64-client-id
+  traefik-forward-auth-google-client-secret: base64-client-secret
+  traefik-forward-auth-secret: base64-something-random