Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example of K8s conf #33

Closed
joanfabregat opened this issue Mar 12, 2019 · 6 comments
Closed

Example of K8s conf #33

joanfabregat opened this issue Mar 12, 2019 · 6 comments
Labels
documentation kubernetes Related to Kubernetes
Milestone
2.2

Comments

@joanfabregat
Copy link

joanfabregat commented Mar 12, 2019
edited
Loading

Hi,

If you're interested, here is an example Kubernetes configuration for traefik-forward-auth using AUTH_HOST:

##
# Secrets to store Google's client secret and the app's secret
##
kind: Secret
apiVersion: v1
metadata:
  name: traefik-forward-auth-secrets
  namespace: kube-system
  labels:
    name: traefik
type: Opaque
data:
  CLIENT_SECRET: --> GOOGLE_CLIENT_SECRET_BASE64_ENCODED 
  SECRET: --> A_RANDOM_SECRET_BASE64_ENCODED 
---

##
# Main deployment
## 
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik-forward-auth
  name: traefik-forward-auth
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  template:
    metadata:
      labels:
        app: traefik-forward-auth
    spec:
      containers:
        - name: traefik-forward-auth
          image: thomseddon/traefik-forward-auth
          ports:
            - containerPort: 4181
              protocol: TCP
          env:
            - name: CLIENT_ID
              value: XXXXXX.apps.googleusercontent.com
            - name: CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth-secrets
                  key: CLIENT_SECRET
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth-secrets
                  key: SECRET
            - name: COOKIE_SECURE
              value: 'true'
            - name: COOKIE_DOMAINS
              value: example.com,example.org
            - name: DOMAINS
              value: example.com,example.org
            - name: AUTH_HOST
              value: auth.example.com
          livenessProbe:
            tcpSocket:
              port: 4181
            initialDelaySeconds: 20
            failureThreshold: 3
            successThreshold: 1
            periodSeconds: 10
            timeoutSeconds: 2
---

##
# Related service
##
kind: Service
apiVersion: v1
metadata:
  name: traefik-forward-auth
  namespace: kube-system
spec:
  selector:
    app: traefik-forward-auth
  ports:
    - port: 80
      targetPort: 4181
      protocol: TCP
---

##
# Ingress for the auth host
##
kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: traefik-forward-auth-ingress
  namespace: kube-system
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/auth-type: forward
    ingress.kubernetes.io/auth-url: http://traefik-forward-auth
    ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
spec:
  rules:
    - host: auth.example.com
      http:
        paths:
          - backend:
              serviceName: traefik-forward-auth
              servicePort: 80

And without the AUTH_HOST:

##
# Secrets to store Google's client secret and the app's secret
##
kind: Secret
apiVersion: v1
metadata:
  name: traefik-forward-auth-secrets
  namespace: kube-system
  labels:
    name: traefik
type: Opaque
data:
  CLIENT_SECRET: --> GOOGLE_CLIENT_SECRET_BASE64_ENCODED 
  SECRET: --> A_RANDOM_SECRET_BASE64_ENCODED 
---

##
# Main deployment
## 
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik-forward-auth
  name: traefik-forward-auth
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  template:
    metadata:
      labels:
        app: traefik-forward-auth
    spec:
      containers:
        - name: traefik-forward-auth
          image: thomseddon/traefik-forward-auth
          ports:
            - containerPort: 4181
              protocol: TCP
          env:
            - name: CLIENT_ID
              value: XXXXXX.apps.googleusercontent.com
            - name: CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth-secrets
                  key: CLIENT_SECRET
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth-secrets
                  key: SECRET
            - name: COOKIE_SECURE
              value: 'true'
            - name: DOMAINS
              value: example.com,example.org
          livenessProbe:
            tcpSocket:
              port: 4181
            initialDelaySeconds: 20
            failureThreshold: 3
            successThreshold: 1
            periodSeconds: 10
            timeoutSeconds: 2
---

##
# Related service
##
kind: Service
apiVersion: v1
metadata:
  name: traefik-forward-auth
  namespace: kube-system
spec:
  selector:
    app: traefik-forward-auth
  ports:
    - port: 80
      targetPort: 4181
      protocol: TCP

And here is how to configure an authenticated ingress using annotations (equivalent to Compose / Swarm labels):

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: my-app
  namespace: my-app-namespace
  annotations:
    kubernetes.io/ingress.class: traefik
    ingress.kubernetes.io/auth-type: forward
    ingress.kubernetes.io/auth-url: http://traefik-forward-auth.kube-system.svc.cluster.local
    ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
spec:
  rules:
    - host: my-app.com
      http:
        paths:
          - backend:
              serviceName: my-app
              servicePort: 80

Also, here the command to encode the secrets in base64:

echo -n 'my-great-secret' | base64

Best
@thomseddon thomseddon added the kubernetes Related to Kubernetes label Mar 18, 2019
@thomseddon thomseddon added this to the 2.1 milestone Apr 24, 2019
@markusschuettler markusschuettler mentioned this issue Jul 12, 2019
Closed
@thomseddon
Copy link
Owner

I will add this into the example shortly, thanks

@thomseddon thomseddon mentioned this issue Jan 27, 2020
Closed
@0xknon
Copy link

0xknon commented Feb 12, 2020

sorry that i am a newbie. How can i access the traefik-dashboard with this example? Do i need to add another service to serve this?

@thomseddon
Copy link
Owner

thomseddon commented Feb 13, 2020
edited
Loading

I don't think so, to expose the dashboard, you need to make sure you are exposing the port from the traefik container:

        ports:
        - name: http
          containerPort: 80
          hostPort: 80
          protocol: TCP
        - name: https
          containerPort: 443
          hostPort: 443
          protocol: TCP
        - name: dash
          containerPort: 8080
          protocol: TCP

Any then by creating a service and ingress:

---
#
# Dash Service
#
apiVersion: v1
kind: Service
metadata:
  name: traefik-dashboard
  labels:
    app: traefik
spec:
  type: ClusterIP
  selector:
    app: traefik
  ports:
  - name: dashboard-http
    port: 8080
    targetPort: 8080
---
#
# Dash Ingress
#
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-dashboard
  labels:
    app: traefik
spec:
  rules:
  - host: traefik.ourdomain.com
    http:
      paths:
      - backend:
          serviceName: traefik-dashboard
          servicePort: dashboard-http

@cstack89
Copy link

cstack89 commented Feb 17, 2020
edited
Loading

I'm working on making an example helm chart to simplify the deployment a little. It's my first one however, and I'm having a little trouble. Can anyone point out what I'm doing wrong. Here are my computed service, deployment and secret:

---
# Source: traefik-forward-auth/templates/secret.yml
kind: Secret
apiVersion: v1
metadata:
  name: traefik-forward-auth-secrets
  namespace: default
  labels:
    name: traefik
type: Opaque
data:
  CLIENT_SECRET: b64sec1
  SECRET: b64sec2
---
# Source: traefik-forward-auth/templates/service.yml
kind: Service
apiVersion: v1
metadata:
  name: traefik-forward-auth
  namespace: default
  labels:
  annotations:
    {}
    
spec:
  selector:
    app: traefik-forward-auth
  ports:
    - port: 80
      targetPort: 4181
      protocol: TCP
---
# Source: traefik-forward-auth/templates/deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik-forward-auth
  annotations:
        {}
    
  name: traefik-forward-auth
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-forward-auth
  template:
    metadata:
      labels:
        app: traefik-forward-auth
    spec:
      containers:
        - name: traefik-forward-auth
          image: thomseddon/traefik-forward-auth
          ports:
            - containerPort: 4181
              protocol: TCP
          env:
            - DEFAULT_PROVIDER=oidc
            - PROVIDERS_OIDC_ISSUER_URL=https://oidc.my-domain.com/auth/realms/master
            - name: PROVIDERS_OIDC_CLIENT_ID 
              value: traefik-forward-auth
            - name: PROVIDERS_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth-secrets
                  key: CLIENT_SECRET
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: traefik-forward-auth-secrets
                  key: SECRET
            - name: INSECURE_COOKIE
              value: true
            - name: COOKIE_DOMAIN
              value: my-domain.com
            - name: DOMAIN
              value: my-domain.com
            - name: AUTH_HOST
              value: auth.my-domain.com
          livenessProbe:
            tcpSocket:
              port: 4181
            initialDelaySeconds: 20
            failureThreshold: 3
            successThreshold: 1
            periodSeconds: 10
            timeoutSeconds: 2

and here is the error I'm getting:

Error: release traefik-forward-auth failed: Deployment in version "v1" cannot be handled as a Deployment: v1.Deployment.Spec: v1.DeploymentSpec.Template: v1.PodTemplateSpec.Spec: v1.PodSpec.Containers: []v1.Container: v1.Container.Env: []v1.EnvVar: readObjectStart: expect { or n, but found ", error found in #10 byte of ...|[{"env":["DEFAULT_PR|..., bigger context ...|ik-forward-auth"}},"spec":{"containers":[{"env":["DEFAULT_PROVIDER=oidc","PROVIDERS_OIDC_ISSUER_URL=|...

@cstack89
Copy link

Sorry I was able to figure out I had bad formatting for DEFAULT_PROVIDER, PROVIDERS_OIDC_ISSUER_URL, and the value for INSECURE_COOKIE.

@cstack89 cstack89 mentioned this issue Feb 20, 2020
Open
@0xknon
Copy link

0xknon commented Feb 26, 2020
edited
Loading

When I login with my organization account, I get this error:
time="2020-02-26T08:18:46Z" level=warning msg="Missing csrf cookie" source_ip=192.168.62.180

Not sure what is this.

I am using stable/traefik to install my traefik

with the following values.yaml:

---
ssl:
  enabled: true
  enforced: true
  insecureSkipVerify: true
dashboard:
  enabled: true
  domain: traefik.stg.example.com
  ingress:
    annotations:
      kubernetes.io/ingress.class: traefik
      ingress.kubernetes.io/auth-type: forward
      ingress.kubernetes.io/auth-url: http://traefik-forward-auth.kube-system.svc.cluster.local
      ingress.kubernetes.io/auth-response-headers: X-Forwarded-User
rbac:
  enabled: true
deployment:
  hostPort:
    httpsEnabled: true

@0xknon 0xknon mentioned this issue Feb 27, 2020
Closed
@thomseddon thomseddon modified the milestones: 2.1, 2.2 Apr 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation kubernetes Related to Kubernetes
Projects
None yet
Milestone
2.2
Development

No branches or pull requests
4 participants
@thomseddon @cstack89 @joanfabregat @0xknon