Traefik Forward Authentication in k8s ingress controller

Question

Hello I tried looking at the auth options in the annotations for kubernetes traefik ingress. I couldn't find anything where I could configure Forward Authentication as documented here: https://docs.traefik.io/configuration/entrypoints/#forward-authentication

I would like to be able to configure forward authentication per ingress resource. This is possible in the nginx ingress controller.

Is that supported currently?

Answer 1

With traefik 2.10.1, if you need forward authentication. you can define a traefik middleware like this:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  labels:
    k8slens-edit-resource-version: v1alpha1
  name: jwt-token-auth
  namespace: reddwarf-pro
spec:
  forwardAuth:
    address: >-
      http://your-auth-service/auth/access_token/verify
    trustForwardHeader: true

then apply the middleware in the route like this:

spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`tex.foobar.top`) && PathPrefix(`/tex`)
      middlewares:
        - name: jwt-token-auth
      priority: 2
      services:
        - name: backend-service
          port: 8000

Answer 2

According to the Traefik documentation that feature will be available in version 1.7 of Traefik (currently a release candidate).

Here is a link to the authentication documentation

My guess is that you will need to add the following 2 annotations:

ingress.kubernetes.io/auth-type: forward
ingress.kubernetes.io/auth-url: https://example.com

and probably also the following annotation with the corresponding header fields your auth service returns as value:

ingress.kubernetes.io/auth-response-headers: X-Auth-User, X-Secret