feat: Authentik, forward auth proxy

2023-02-09 23:03:36 +00:00
parent acd49ed5d8
commit 5fab069837
25 changed files with 107 additions and 163 deletions
@@ -12,10 +12,19 @@ spec:
    - match: Host(`traefik-dash.lino.cooking`)
      kind: Rule
      middlewares:
-        - name: traefik-dashboard-basicauth
+        - name: traefik-dash-middleware-forwardauth
          namespace: traefik
      services:
        - name: api@internal
          kind: TraefikService
+    - match: "Host(`traefik-dash.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
 #  tls:
 #    secretName: lino-cooking-staging-tls
@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-dashboard-basicauth
-  namespace: traefik
-spec:
-  basicAuth:
-    secret: traefik-dashboard-auth
@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dash-middleware-forwardauth
+spec:
+  forwardAuth:
+    address: https://traefik-dash.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
@@ -30,6 +30,7 @@ providers:
    enabled: true
    ingressClass: traefik-external
    allowExternalNameServices: true
+    allowCrossNamespace: true
  kubernetesIngress:
    enabled: true
    publishedService: