Add kubernetes examples + better document methods of applying authentication

Closes #33

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/configs/traefik-forward-auth.ini

@@ -0,0 +1,8 @@
+rule.example_public.action=allow
+rule.example_public.rule=Host("stats.example.com") && PathPrefix("/api/public")
+
+rule.example_api.action=allow
+rule.example_api.rule=Host("api.example.com") && Headers("X-API-Authorization", "a-long-api-key")
+
+rule.example_api_query.action=allow
+rule.example_api_query.rule=Host("api.example.com") && && Query("api_key=a-long-api-key")

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/configs/traefik.toml

@@ -0,0 +1,169 @@
+################################################################
+# Global configuration
+################################################################
+
+# Enable debug mode
+#
+# Optional
+# Default: false
+#
+# debug = true
+
+# Log level
+#
+# Optional
+# Default: "ERROR"
+#
+logLevel = "INFO"
+
+# Entrypoints to be used by frontends that do not specify any entrypoint.
+# Each frontend can specify its own entrypoints.
+#
+# Optional
+# Default: ["http"]
+#
+defaultEntryPoints = ["http", "https"]
+
+# If set to true invalid SSL certificates are accepted for backends.
+# This disables detection of man-in-the-middle attacks so should only be used on secure backend networks.
+#
+# Optional
+# Default: false
+#
+insecureSkipVerify = true
+
+################################################################
+# Entrypoints configuration
+################################################################
+
+# Entrypoints definition
+#
+# Optional
+# Default:
+[entryPoints]
+    [entryPoints.http]
+    address = ":80"
+    compress = true
+
+      [entryPoints.http.redirect]
+      entryPoint = "https"
+
+    [entryPoints.https]
+    address = ":443"
+    compress = true
+
+      [entryPoints.https.tls]
+
+      [entryPoints.https.auth.forward]
+      address = "http://127.0.0.1:4181"
+      authResponseHeaders = ["X-Forwarded-User"]
+
+    [entryPoints.traefik]
+    address = ":8080"
+
+################################################################
+# Traefik logs configuration
+################################################################
+
+# Traefik logs
+# Enabled by default and log to stdout
+#
+# Optional
+#
+[traefikLog]
+  format = "json"
+
+# Sets the filepath for the traefik log. If not specified, stdout will be used.
+# Intermediate directories are created if necessary.
+#
+# Optional
+# Default: os.Stdout
+#
+# filePath = "log/traefik.log"
+
+# Format is either "json" or "common".
+#
+# Optional
+# Default: "common"
+#
+# format = "common"
+
+################################################################
+# Access logs configuration
+################################################################
+
+# Enable access logs
+# By default it will write to stdout and produce logs in the textual
+# Common Log Format (CLF), extended with additional fields.
+#
+# Optional
+#
+# [accessLog]
+
+# Sets the file path for the access log. If not specified, stdout will be used.
+# Intermediate directories are created if necessary.
+#
+# Optional
+# Default: os.Stdout
+#
+# filePath = "/path/to/log/log.txt"
+
+# Format is either "json" or "common".
+#
+# Optional
+# Default: "common"
+#
+# format = "common"
+
+################################################################
+# API and dashboard configuration
+################################################################
+
+# Enable API and dashboard
+[api]
+
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  # entryPoint = "traefik"
+
+  # Enabled Dashboard
+  #
+  # Optional
+  # Default: true
+  #
+  # dashboard = false
+
+################################################################
+# Ping configuration
+################################################################
+
+# Enable ping
+[ping]
+
+  # Name of the related entry point
+  #
+  # Optional
+  # Default: "traefik"
+  #
+  # entryPoint = "traefik"
+
+################################################################
+# Docker configuration backend
+################################################################
+
+# Enable Kubernetes configuration backend
+[kubernetes]
+
+[acme]
+KeyType = "RSA4096"
+email = "you@example.com"
+storage = "/acme/acme.json"
+entryPoint = "https"
+onHostRule = true
+acmeLogging = true
+
+[acme.httpChallenge]
+  entryPoint = "http"

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/deployment.yaml

@@ -0,0 +1,92 @@
+#
+# Traefik + Traefik Forward Auth Deployment
+#
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik
+  labels:
+    app: traefik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik
+    spec:
+      serviceAccountName: traefik
+      terminationGracePeriodSeconds: 60
+      containers:
+      - image: traefik:1.7.12
+        name: traefik
+        args:
+        - --configfile=/config/traefik.toml
+        ports:
+        - name: http
+          containerPort: 80
+          hostPort: 80
+          protocol: TCP
+        - name: https
+          containerPort: 443
+          hostPort: 443
+          protocol: TCP
+        - name: dash
+          containerPort: 8080
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /config
+          name: configs
+        - mountPath: /acme
+          name: acme
+
+      - image: thomseddon/traefik-forward-auth:2
+        name: traefik-forward-auth
+        ports:
+        - containerPort: 4181
+          protocol: TCP
+        env:
+        - name: CONFIG
+          value: "/config"
+        - name: COOKIE_DOMAIN
+          value: "example.com"
+        - name: DOMAIN
+          value: "example.com"
+        - name: AUTH_HOST
+          value: "auth.example.com"
+        - name: LOG_LEVEL
+          value: "info"
+        - name: PROVIDERS_GOOGLE_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: secrets
+              key: google-client-id
+        - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: secrets
+              key: google-client-secret
+        - name: COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: secrets
+              key: cookie-secret
+        volumeMounts:
+        - name: configs
+          mountPath: /config
+          subPath: traefik-forward-auth.ini
+
+      volumes:
+      - name: configs
+        configMap:
+          name: configs
+      - name: secrets
+        secret:
+          secretName: secrets
+      - name: acme
+        persistentVolumeClaim:
+          claimName: traefik-acme

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/ingress.yaml

@@ -0,0 +1,36 @@
+#
+# Auth Ingress
+#
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  rules:
+  - host: auth.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: traefik-forward-auth
+          servicePort: auth-http
+
+---
+#
+# Dash Ingress
+#
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: traefik-dashboard
+  labels:
+    app: traefik
+spec:
+  rules:
+  - host: traefik.example.com
+    http:
+      paths:
+      - backend:
+          serviceName: traefik-dashboard
+          servicePort: dashboard-http

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+commonLabels:
+  app: traefik
+
+resources:
+- deployment.yaml
+- service.yaml
+- ingress.yaml
+- pvc.yaml
+- rbac.yaml
+
+#
+# Configs
+#
+configMapGenerator:
+- name: configs
+  files:
+    - configs/traefik.toml
+    - config/traefik-forward-auth.ini
+
+#
+# Secrets
+#
+secretGenerator:
+- name: secrets
+  env: secrets/traefik-forward-auth.env

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/pvc.yaml

@@ -0,0 +1,17 @@
+# Source: traefik/templates/acme-pvc.yaml
+#
+# PVC
+#
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: traefik-acme
+  labels:
+    app: traefik
+spec:
+  accessModes:
+    - "ReadWriteOnce"
+  resources:
+    requests:
+      storage: "1Gi"
+  storageClassName: "local-traefik-acme"

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/rbac.yaml

@@ -0,0 +1,52 @@
+#
+# RBAC
+# Source: traefik/templates/rbac.yaml
+#
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: traefik
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - services
+      - endpoints
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: traefik
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: traefik
+subjects:
+- kind: ServiceAccount
+  name: traefik
+  namespace: kube-system

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/secrets/traefik-forward-auth.env

@@ -0,0 +1,3 @@
+google-client-id=client-id
+google-client-secret=client-secret
+cookie-secret=something-random

examples/traefik-v1.7/kubernetes/advanced-single-pod/traefik/service.yaml

@@ -0,0 +1,36 @@
+#
+# Auth Service
+#
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik
+  ports:
+  - name: auth-http
+    port: 4181
+    targetPort: 4181
+
+---
+#
+# Dash Service
+#
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-dashboard
+  labels:
+    app: traefik
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik
+  ports:
+  - name: dashboard-http
+    port: 8080
+    targetPort: 8080