feat(auth): Adding traefik-forward-auth

2025-10-29 17:12:34 +00:00 · 2022-10-11 21:53:45 +02:00
parent c450934d77
commit 954ff94821
18 changed files with 302 additions and 73 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -30,4 +30,5 @@ override.tf.json

 .terraform.lock.hcl
 .idea
-certs/
+certs/
+**/secrets/*
--- a/RESOURCES.md
+++ b/RESOURCES.md
@@ -4,3 +4,5 @@ https://kubernetes.io/docs/concepts/services-networking/service/
 https://doc.traefik.io/traefik/v2.8/user-guides/crd-acme/

 https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/guides/getting-started
+
+https://www.smarthomebeginner.com/traefik-forward-auth-google-oauth-2022/
--- a/apps/arr/00-arr.yaml
+++ b/apps/arr/00-arr.yaml
@@ -59,7 +59,7 @@ spec:
  selector:
    app: qbittorrent
 ---
-## Deployment for Sonarr
+## Deployment for QbitTorrent
 kind: Deployment
 apiVersion: apps/v1
 metadata:
@@ -369,8 +369,8 @@ spec:
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRoute
 metadata:
-  name: ingressroute-arr
  namespace: arr
+  name: ingressroute-arr
 spec:
  entryPoints:
    - websecure
--- a/apps/traefik-forward-auth/kustomization.yaml
+++ b/apps/traefik-forward-auth/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: whoami
+
+resources:
+  - namespace.yaml
+  - traefik-forward-auth
+  - whoami
--- a/apps/traefik-forward-auth/namespace.yaml
+++ b/apps/traefik-forward-auth/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: whoami
--- a/apps/traefik-forward-auth/traefik-forward-auth/configs/traefik-forward-auth.ini
+++ b/apps/traefik-forward-auth/traefik-forward-auth/configs/traefik-forward-auth.ini
@@ -0,0 +1,8 @@
+rule.example_public.action=allow
+rule.example_public.rule=Host("stats.stonegarden.dev") && PathPrefix("/api/public")
+
+rule.example_api.action=allow
+rule.example_api.rule=Host("api.stonegarden.dev") && Headers("X-API-Authorization", "a-long-api-key")
+
+rule.example_api_query.action=allow
+rule.example_api_query.rule=Host("api.stonegarden.dev") && && Query("api_key=a-long-api-key")
--- a/apps/traefik-forward-auth/traefik-forward-auth/deployment.yaml
+++ b/apps/traefik-forward-auth/traefik-forward-auth/deployment.yaml
@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: traefik-forward-auth
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: traefik-forward-auth
+    spec:
+      #serviceAccountName: traefik-ingress-controller
+      terminationGracePeriodSeconds: 60
+      containers:
+        - image: thomseddon/traefik-forward-auth:2
+          name: traefik-forward-auth
+          ports:
+            - containerPort: 4181
+              protocol: TCP
+          env:
+            - name: CONFIG
+              value: "/config"
+            #- name: DOMAIN
+            #  value: "gmail.com"
+            # INSECURE_COOKIE is required if not using a https entrypoint
+            #- name: INSECURE_COOKIE
+            #  value: "true"
+            # Remove COOKIE_DOMAIN if not using auth host mode
+            - name: COOKIE_DOMAIN
+              value: "stonegarden.dev"
+            - name: AUTH_HOST
+              value: "auth.stonegarden.dev"
+            - name: LOG_LEVEL
+              value: "trace"
+            - name: WHITELIST
+              value: veghag@gmail.com
+            - name: PROVIDERS_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: google-client-id
+            - name: PROVIDERS_GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: google-client-secret
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: traefik-forward-auth-secrets
+                  key: secret
+          volumeMounts:
+            - name: configs
+              mountPath: /config
+              subPath: traefik-forward-auth.ini
+
+      volumes:
+        - name: configs
+          configMap:
+            name: configs
+        - name: traefik-forward-auth-secrets
+          secret:
+            secretName: traefik-forward-auth-secrets
--- a/apps/traefik-forward-auth/traefik-forward-auth/ingress.yaml
+++ b/apps/traefik-forward-auth/traefik-forward-auth/ingress.yaml
@@ -0,0 +1,22 @@
+#
+# Auth Ingress
+#
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`auth.stonegarden.dev`)
+      kind: Rule
+      services:
+        - name: traefik-forward-auth
+          port: 4181
+      middlewares:
+        - name: traefik-forward-auth
+  tls:
+    certResolver: letsencrypt
--- a/apps/traefik-forward-auth/traefik-forward-auth/kustomization.yaml
+++ b/apps/traefik-forward-auth/traefik-forward-auth/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app: traefik-forward-auth
+
+resources:
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - middleware.yaml
+
+#
+# Configs
+#
+configMapGenerator:
+  - name: configs
+    files:
+      - configs/traefik-forward-auth.ini
+
+#
+# Secrets
+#
+secretGenerator:
+  - name: traefik-forward-auth-secrets
+    envs:
+    - secrets/traefik-forward-auth.env
--- a/apps/traefik-forward-auth/traefik-forward-auth/middleware.yaml
+++ b/apps/traefik-forward-auth/traefik-forward-auth/middleware.yaml
@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-forward-auth
+spec:
+  forwardAuth:
+    address: http://traefik-forward-auth.whoami.svc.cluster.local:4181
+    authResponseHeaders:
+      - X-Forwarded-User
+    trustForwardHeader: true
--- a/apps/traefik-forward-auth/traefik-forward-auth/service.yaml
+++ b/apps/traefik-forward-auth/traefik-forward-auth/service.yaml
@@ -0,0 +1,16 @@
+#
+# Auth Service
+#
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-forward-auth
+  labels:
+    app: traefik-forward-auth
+spec:
+  type: ClusterIP
+  selector:
+    app: traefik-forward-auth
+  ports:
+    - name: auth-http
+      port: 4181
--- a/apps/traefik-forward-auth/whoami/deployment.yaml
+++ b/apps/traefik-forward-auth/whoami/deployment.yaml
@@ -0,0 +1,19 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: whoami
+  template:
+    metadata:
+      labels:
+        app: whoami
+    spec:
+      containers:
+        - image: containous/whoami
+          name: whoami
--- a/apps/traefik-forward-auth/whoami/ingress.yaml
+++ b/apps/traefik-forward-auth/whoami/ingress.yaml
@@ -0,0 +1,19 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`whoami.stonegarden.dev`)
+      kind: Rule
+      services:
+        - name: whoami
+          port: 80
+      middlewares:
+        - name: traefik-forward-auth
+  tls:
+    certResolver: letsencrypt
--- a/apps/traefik-forward-auth/whoami/kustomization.yaml
+++ b/apps/traefik-forward-auth/whoami/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app: whoami
+
+resources:
+  - service.yaml
+  - deployment.yaml
+  - ingress.yaml
--- a/apps/traefik-forward-auth/whoami/service.yaml
+++ b/apps/traefik-forward-auth/whoami/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  labels:
+    app: whoami
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 80
+  selector:
+    app: whoami
--- a/apps/whoami/00-whoami.yml
+++ b/apps/whoami/00-whoami.yml
@@ -3,8 +3,6 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: whoami
-  label:
-    name: whoami

 ---
 # Service for exposing deployment of whoami
@@ -14,13 +12,13 @@ metadata:
  namespace: whoami
  name: whoami
 spec:
-  type: LoadBalancer
+  type: ClusterIP
+  selector:
+    app: whoami
  ports:
    - protocol: TCP
      name: web
      port: 80
-  selector:
-    app: whoami

 ---
 # Deployment of whoami
--- a/helm/traefik-values.yaml
+++ b/helm/traefik-values.yaml
@@ -9,6 +9,10 @@ deployment:
        - name: data
          mountPath: /data

+providers:
+  kubernetesCRD:
+    allowCrossNamespace: true
+
 additionalArguments:
  - "--log.level=DEBUG"
  - "--api.insecure"
--- a/main.tf
+++ b/main.tf
@@ -91,71 +91,71 @@ resource "helm_release" "traefik" {
 }

 # --- whoami
-resource "kubernetes_namespace" "whoami" {
-  metadata {
-    name = "whoami"
-  }
-}
-
-resource "kubernetes_service" "whoami" {
-  metadata {
-    name = "whoami"
-    namespace = kubernetes_namespace.whoami.metadata.0.name
-  }
-  spec {
-    selector = {
-      app = kubernetes_deployment.whoami.spec.0.template.0.metadata.0.labels.app
-    }
-
-    type = "LoadBalancer"
-    port {
-      protocol = "TCP"
-      name = "web"
-      port = 80
-    }
-  }
-}
-
-resource "kubernetes_deployment" "whoami" {
-  metadata {
-    name = "whoami"
-    namespace = kubernetes_namespace.whoami.metadata.0.name
-  }
-  spec {
-    replicas = "2"
-    selector {
-      match_labels = {
-        app = "whoami"
-      }
-    }
-    template {
-      metadata {
-        labels = {
-          app = "whoami"
-        }
-      }
-      spec {
-        container {
-          name = "whoami"
-          image = "traefik/whoami"
-          port {
-            name = "web"
-            container_port = 80
-          }
-        }
-      }
-    }
-  }
-}
-
-resource "helm_release" "whoami" {
-  name       = "whoami"
-  repository = "https://charts.itscontained.io"
-  chart      = "raw"
-  version    = "0.2.5"
-
-  values = [file("helm/whoami-values.yaml")]
-}
+#resource "kubernetes_namespace" "whoami" {
+#  metadata {
+#    name = "whoami"
+#  }
+#}
+#
+#resource "kubernetes_service" "whoami" {
+#  metadata {
+#    name = "whoami"
+#    namespace = kubernetes_namespace.whoami.metadata.0.name
+#  }
+#  spec {
+#    selector = {
+#      app = kubernetes_deployment.whoami.spec.0.template.0.metadata.0.labels.app
+#    }
+#
+#    type = "LoadBalancer"
+#    port {
+#      protocol = "TCP"
+#      name = "web"
+#      port = 80
+#    }
+#  }
+#}
+#
+#resource "kubernetes_deployment" "whoami" {
+#  metadata {
+#    name = "whoami"
+#    namespace = kubernetes_namespace.whoami.metadata.0.name
+#  }
+#  spec {
+#    replicas = "2"
+#    selector {
+#      match_labels = {
+#        app = "whoami"
+#      }
+#    }
+#    template {
+#      metadata {
+#        labels = {
+#          app = "whoami"
+#        }
+#      }
+#      spec {
+#        container {
+#          name = "whoami"
+#          image = "traefik/whoami"
+#          port {
+#            name = "web"
+#            container_port = 80
+#          }
+#        }
+#      }
+#    }
+#  }
+#}
+#
+#resource "helm_release" "whoami" {
+#  name       = "whoami"
+#  repository = "https://charts.itscontained.io"
+#  chart      = "raw"
+#  version    = "0.2.5"
+#
+#  values = [file("helm/whoami-values.yaml")]
+#}

 //resource "kubernetes_namespace" "test" {
 //  metadata {