feat(traefik): forward auth

NaturalSelectionLabs · Jan 1, 2024 · be36eba · be36eba
1 parent 99b386b
commit be36eba
Show file tree

Hide file tree

Showing 10 changed files with 122 additions and 0 deletions.
diff --git a/traefik/dev/kustomization.yaml b/traefik/dev/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - httpbin.yaml
+  - ../forward-auth
 
 helmCharts:
   - name: traefik

diff --git a/traefik/forward-auth/deploy.yaml b/traefik/forward-auth/deploy.yaml
@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+    spec:
+      terminationGracePeriodSeconds: 60
+      containers:
+        - image: thomseddon/traefik-forward-auth:2
+          name: traefik-forward-auth
+          ports:
+            - containerPort: 4181
+              protocol: TCP
+          env:
+            - name: DEFAULT_PROVIDER
+              value: oidc
+            - name: DOMAIN
+              value: rss3.io
+            # INSECURE_COOKIE is required unless using https entrypoint
+            - name: INSECURE_COOKIE
+              value: "true"
+            - name: PROVIDERS_OIDC_ISSUER_URL
+              value: https://account.nsl.xyz/auth/realms/google
+            - name: PROVIDERS_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: traefik-forward-auth-google-client-id
+            - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: traefik-forward-auth-google-client-secret
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: traefik-forward-auth-secret
diff --git a/traefik/forward-auth/kustomization.yaml b/traefik/forward-auth/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deploy.yaml
+  - secret.yaml
+  - svc.yaml
+  - middleware
diff --git a/traefik/forward-auth/middleware/default.yaml b/traefik/forward-auth/middleware/default.yaml
@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+  namespace: default
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth:4181
+    authResponseHeaders:
+      - X-Forwarded-User
diff --git a/traefik/forward-auth/middleware/guardian.yaml b/traefik/forward-auth/middleware/guardian.yaml
@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+  namespace: guardian
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth:4181
+    authResponseHeaders:
+      - X-Forwarded-User
diff --git a/traefik/forward-auth/middleware/kube-system.yaml b/traefik/forward-auth/middleware/kube-system.yaml
@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+  namespace: kube-system
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth:4181
+    authResponseHeaders:
+      - X-Forwarded-User
diff --git a/traefik/forward-auth/middleware/kustomization.yaml b/traefik/forward-auth/middleware/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - default.yaml
+  - guardian.yaml
+  - kube-system.yaml
diff --git a/traefik/forward-auth/secret.yaml b/traefik/forward-auth/secret.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: traefik-forward-auth-secrets
+  labels:
+    app: traefik-forward-auth
+  annotations:
+    avp.kubernetes.io/path: "kv/data/guardian/traefik-forward-auth"
+type: Opaque
+stringData:
+  traefik-forward-auth-oidc-client-id: "<OIDC_CLIENT_ID>"
+  traefik-forward-auth-oidc-client-secret: "<OIDC_CLIENT_SECRET>"
+  traefik-forward-auth-secret: "<SECRET>"
diff --git a/traefik/forward-auth/svc.yaml b/traefik/forward-auth/svc.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik-forward-auth
+  ports:
+    - name: auth-http
+      port: 4181
+      targetPort: 4181
diff --git a/traefik/prod/kustomization.yaml b/traefik/prod/kustomization.yaml
@@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - httpbin.yaml
+  - ../forward-auth
 
 helmCharts:
   - name: traefik