Traefik with ForwardAuth middleware

README.md

Traefik 2.0 with ForwardAuth middleware

$ kubectl apply -n YOUR_NAMESPACE -f deployment.yaml
$ kubectl -n YOUR_NAMESPACE port-forward traefik-ingress-REPLACE-ME 8080:8080 8888:80

app.py

from flask import Flask, Response, current_app, request

from logging.config import dictConfig

dictConfig({
    'version': 1,
    'formatters': {'default': {
        'format': '[%(asctime)s] %(levelname)s in %(module)s: %(message)s',
    }},
    'handlers': {'wsgi': {
        'class': 'logging.StreamHandler',
        'stream': 'ext://flask.logging.wsgi_errors_stream',
        'formatter': 'default'
    }},
    'root': {
        'level': 'INFO',
        'handlers': ['wsgi']
    }
})

app = Flask(__name__)

@app.route('/', methods=['GET'])
def index():
    """Include headers."""
    current_app.logger.info(request.headers)
    current_app.logger.info(request.data)
    return Response(
        status=200,
        headers={
            'Authorization': 'Bearer my-secret-token',
            'X-Auth-User': 'jirka',
            'No-Secret': 'no-secret',
        }
    )

deployment.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-configmap
  labels:
    k8s-app: traefik-ingress-lb
data:
  traefik.toml: |
    [api]
      dashboard = true
    [providers]
      [providers.file]
        watch = true
    [entrypoints]
      [entrypoints.http]
        address = ":80"
    [http.routers]
      [http.routers.whoami]
        entryPoints = ["http"]
        Middlewares = ["test-auth"]
        Rule = "Path(`/whoami`)"
        Service = "whoami"
    [http.middlewares]
      [http.middlewares.test-auth.forwardauth]
        address = "http://10.42.64.43:5000/"
        trustForwardHeader = true
        authResponseHeaders = ["X-Auth-User", "X-Secret", "Authorization"]
    [http.services]
      [http.services.whoami.LoadBalancer]
        method = "drr"
        [[http.services.whoami.LoadBalancer.servers]]
          url = "http://whoami/"
          weight = 1
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress
  namespace: jiri
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik:v2.0
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --global.debug
        - --configfile=/config/traefik.toml
        volumeMounts:
        - mountPath: /config
          name: config
      volumes:
      - name: config
        configMap:
          name: traefik-configmap
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-auth
  namespace: jiri
  labels:
    k8s-app: traefik-auth
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-auth
  template:
    metadata:
      labels:
        k8s-app: traefik-auth
        name: traefik-auth
    spec:
      terminationGracePeriodSeconds: 60
      containers:
      - image: jirikuncar/demo-auth
        name: traefik-auth
        ports:
        - name: http
          containerPort: 5000
---

Dockerfile

FROM python:3.7-alpine

RUN pip install flask
COPY app.py /code/app.py
WORKDIR /code

ENV FLASK_APP=app:app
CMD ["flask", "run", "-h", "0.0.0.0"]