diff --git a/README.md b/README.md index ce840af..bddfb2d 100644 --- a/README.md +++ b/README.md @@ -29,8 +29,8 @@ A minimal forward authentication service that provides OAuth/SSO login and authe - [User Restriction](#user-restriction) - [Applying Authentication](#applying-authentication) - [Global Authentication](#global-authentication) - - [Individual Ingress Authentication in Kubernetes](#individual-ingress-authentication-in-kubernetes) - - [Individual Container Authentication in Swarm](#individual-container-authentication-in-swarm) + - [Selective Ingress Authentication in Kubernetes](#selective-ingress-authentication-in-kubernetes) + - [Selective Container Authentication in Swarm](#selective-container-authentication-in-swarm) - [Rules Based Authentication](#rules-based-authentication) - [Operation Modes](#operation-modes) - [Overlay Mode](#overlay-mode) @@ -320,7 +320,7 @@ The authenticated user is set in the `X-Forwarded-User` header, to pass this on ### Applying Authentication -Authentication can be applied in a variety of ways, either globally across all requests, or to individual containers/ingresses. +Authentication can be applied in a variety of ways, either globally across all requests, or selectively to specific containers/ingresses. #### Global Authentication @@ -343,7 +343,7 @@ Or https: Note: Traefik prepends the namespace to the name of middleware defined via a kubernetes resource. This is handled automatically when referencing the middleware from another resource in the same namespace (so the namespace does not need to be prepended when referenced). However the full name, including the namespace, must be used when referenced from static configuration (e.g. command arguments or config file), hence you must prepend the namespace to your traefik-forward-auth middleware reference, as shown in the comments above (e.g. `default-traefik-forward-auth` if your middleware is named `traefik-forward-auth` and is defined in the `default` namespace). -#### Individual Ingress Authentication in Kubernetes +#### Selective Ingress Authentication in Kubernetes If you choose not to enable forward authentication for a specific entrypoint, you can apply the middleware to selected ingressroutes: @@ -369,7 +369,7 @@ spec: See the examples directory for more examples. -#### Individual Container Authentication in Swarm +#### Selective Container Authentication in Swarm You can apply labels to selected containers: diff --git a/examples/traefik-v1.7/kubernetes/advanced-separate-pod/README.md b/examples/traefik-v1.7/kubernetes/advanced-separate-pod/README.md index e4d884d..ebd0a77 100644 --- a/examples/traefik-v1.7/kubernetes/advanced-separate-pod/README.md +++ b/examples/traefik-v1.7/kubernetes/advanced-separate-pod/README.md @@ -3,7 +3,7 @@ This is an advanced example of how to deploy traefik-forward-auth in it's own pod. This example is a good starting point for those who already have traefik deployed (e.g. using helm). -This example uses [Individual Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#individual-ingress-authentication-in-kubernetes) to selectively apply forward authentication to each individual ingress, a simple example "whoami" application (deployment, service and ingress) is included for completeness. +This example uses [Selective Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#selective-ingress-authentication-in-kubernetes) to selectively apply forward authentication to each selective ingress, a simple example "whoami" application (deployment, service and ingress) is included for completeness. This example leverages kustomise to define Secrets and ConfigMaps, example deployment: diff --git a/examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml b/examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml index 328828c..a724c53 100644 --- a/examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml +++ b/examples/traefik-v1.7/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml @@ -7,6 +7,11 @@ metadata: name: traefik-forward-auth labels: app: traefik-forward-auth + annotations: + kubernetes.io/ingress.class: traefik + ingress.kubernetes.io/auth-type: forward + ingress.kubernetes.io/auth-url: http://traefik-forward-auth:4181 + ingress.kubernetes.io/auth-response-headers: X-Forwarded-User spec: rules: - host: auth.example.com diff --git a/examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/ingress.yaml b/examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/ingress.yaml index f53ad49..2c954f3 100644 --- a/examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/ingress.yaml +++ b/examples/traefik-v1.7/kubernetes/advanced-separate-pod/whoami/ingress.yaml @@ -6,6 +6,9 @@ metadata: app: whoami annotations: kubernetes.io/ingress.class: traefik + ingress.kubernetes.io/auth-type: forward + ingress.kubernetes.io/auth-url: http://traefik-forward-auth:4181 + ingress.kubernetes.io/auth-response-headers: X-Forwarded-User spec: rules: - host: whoami.example.com diff --git a/examples/traefik-v2/kubernetes/advanced-separate-pod/README.md b/examples/traefik-v2/kubernetes/advanced-separate-pod/README.md index 5735c22..472988e 100644 --- a/examples/traefik-v2/kubernetes/advanced-separate-pod/README.md +++ b/examples/traefik-v2/kubernetes/advanced-separate-pod/README.md @@ -2,7 +2,7 @@ This is an advanced example of how to deploy traefik-forward-auth in it's own pod. This example is a good starting point for those who already have traefik deployed (e.g. using helm). -This example uses [Individual Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#individual-ingress-authentication-in-kubernetes) to selectively apply forward authentication to each individual ingresses, for example: +This example uses [Selective Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#selective-ingress-authentication-in-kubernetes) to selectively apply forward authentication to each selective ingresses, for example: ``` apiVersion: traefik.containo.us/v1alpha1 diff --git a/examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml b/examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml index 74ad0e9..6d416e0 100644 --- a/examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml +++ b/examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml @@ -16,5 +16,7 @@ spec: services: - name: traefik-forward-auth port: 4181 + middlewares: + - name: traefik-forward-auth tls: certresolver: default diff --git a/examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/ingress.yaml b/examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/ingress.yaml index 515626c..5061d37 100644 --- a/examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/ingress.yaml +++ b/examples/traefik-v2/kubernetes/advanced-separate-pod/whoami/ingress.yaml @@ -16,4 +16,4 @@ spec: middlewares: - name: traefik-forward-auth tls: - certresolver: default \ No newline at end of file + certresolver: default diff --git a/examples/traefik-v2/kubernetes/advanced-single-pod/whoami/ingress.yaml b/examples/traefik-v2/kubernetes/advanced-single-pod/whoami/ingress.yaml index 3894dc0..df22d1f 100644 --- a/examples/traefik-v2/kubernetes/advanced-single-pod/whoami/ingress.yaml +++ b/examples/traefik-v2/kubernetes/advanced-single-pod/whoami/ingress.yaml @@ -14,4 +14,4 @@ spec: - name: whoami port: 80 tls: - certresolver: default \ No newline at end of file + certresolver: default diff --git a/examples/traefik-v2/kubernetes/simple-separate-pod/README.md b/examples/traefik-v2/kubernetes/simple-separate-pod/README.md index ed18121..bea285d 100644 --- a/examples/traefik-v2/kubernetes/simple-separate-pod/README.md +++ b/examples/traefik-v2/kubernetes/simple-separate-pod/README.md @@ -3,7 +3,7 @@ This is a simple example of how to deploy traefik-forward-auth in it's own pod with minimal configuration. This example is a good starting point for those who already have traefik deployed (e.g. using helm). -This example uses [Individual Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#individual-ingress-authentication-in-kubernetes) to apply forward authentication to selected ingresses. This means ingresses will not be protected by default. Authentication can be applied by adding the `traefik-forward-auth` middleware, for example: +This example uses [Selective Authentication](https://github.com/thomseddon/traefik-forward-auth/blob/master/README.md#selective-ingress-authentication-in-kubernetes) to apply forward authentication to selected ingresses. This means ingresses will not be protected by default. Authentication can be applied by adding the `traefik-forward-auth` middleware, for example: ``` apiVersion: traefik.containo.us/v1alpha1 diff --git a/examples/traefik-v2/kubernetes/simple-separate-pod/k8s-app.yml b/examples/traefik-v2/kubernetes/simple-separate-pod/k8s-app.yml index b3e61ec..aa799e3 100644 --- a/examples/traefik-v2/kubernetes/simple-separate-pod/k8s-app.yml +++ b/examples/traefik-v2/kubernetes/simple-separate-pod/k8s-app.yml @@ -57,4 +57,4 @@ spec: - name: whoami port: 80 middlewares: - - name: traefik-forward-auth \ No newline at end of file + - name: traefik-forward-auth diff --git a/examples/traefik-v2/swarm/docker-compose.yml b/examples/traefik-v2/swarm/docker-compose.yml index 9878638..c07a2dd 100644 --- a/examples/traefik-v2/swarm/docker-compose.yml +++ b/examples/traefik-v2/swarm/docker-compose.yml @@ -14,7 +14,7 @@ services: image: containous/whoami labels: - "traefik.http.routers.whoami.rule=Host(`whoami.localhost.com`)" - # This example uses "Individual Authentication" + # This example uses "Selective Authentication" - "traefik.http.routers.whoami.middlewares=traefik-forward-auth" traefik-forward-auth: