Use authelia to secure traefik
This commit is contained in:
parent
6b207c6167
commit
e58e269248
GPG Key ID:
FA5F485356B0D2D4
|
|
@ -69,3 +69,9 @@ spec:
|
||||||
notifier:
|
notifier:
|
||||||
filesystem:
|
filesystem:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
|
access_control:
|
||||||
|
rules:
|
||||||
|
- domain: traefik.${domain}
|
||||||
|
policy: one_factor
|
||||||
|
subject: "group:lldap_admin"
|
||||||
|
|
|
||||||
|
|
@ -10,8 +10,8 @@ spec:
|
||||||
- match: Host(`traefik.${domain}`)
|
- match: Host(`traefik.${domain}`)
|
||||||
kind: Rule
|
kind: Rule
|
||||||
middlewares:
|
middlewares:
|
||||||
- name: traefik-dashboard-basicauth
|
- name: forwardauth-authelia
|
||||||
namespace: traefik
|
namespace: authelia
|
||||||
services:
|
services:
|
||||||
- name: api@internal
|
- name: api@internal
|
||||||
kind: TraefikService
|
kind: TraefikService
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,4 @@
|
||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
kind: Kustomization
|
kind: Kustomization
|
||||||
resources:
|
resources:
|
||||||
- secret.yaml
|
|
||||||
- middleware.yaml
|
|
||||||
- ingress.yaml
|
- ingress.yaml
|
||||||
|
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
||||||
apiVersion: traefik.io/v1alpha1
|
|
||||||
kind: Middleware
|
|
||||||
metadata:
|
|
||||||
name: traefik-dashboard-basicauth
|
|
||||||
namespace: traefik
|
|
||||||
spec:
|
|
||||||
basicAuth:
|
|
||||||
secret: traefik-dashboard-auth
|
|
||||||
|
|
@ -1,60 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: traefik-dashboard-auth
|
|
||||||
namespace: traefik
|
|
||||||
type: Opaque
|
|
||||||
data:
|
|
||||||
users: ENC[AES256_GCM,data:7u9dFimVDoytlAj24o4evE69M0+rugfkhGzg8WcHIhG5NDvzJJtL0PSbaZqJLXDhshPfPuKV/Nv94qXOR5sn4nY/cI0=,iv:xO+fhVIJsLqbey/2g2mZ8gMb8zvwCsZC9j1FnWqN8Ew=,tag:ktWZYMyaeyrvD+vdbcLyzw==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age: []
|
|
||||||
lastmodified: "2024-09-26T20:33:22Z"
|
|
||||||
mac: ENC[AES256_GCM,data:KuBBb577toaMHiZ2xq4JFyHusbqkiORwYnj9aNfl0AFsj8j+FikPnAQl+vt0no8/Oqi1OiS/6uSbKpzju92NNb0mbmBEEVJVHoTehg3CNNV0VFI1lf+EVM05XnOVWKzCe/Plku+NB9lx5+hVE1e6p6NVlXx0gnW4JDjE+0fIXJA=,iv:XGwfCVsRtebglZo4e0qAGQfSzGzAfXDMQE1zdLAByoo=,tag:+BENzw0DKkbPho1WDW1c4Q==,type:str]
|
|
||||||
pgp:
|
|
||||||
- created_at: "2024-09-26T20:33:22Z"
|
|
||||||
enc: |-
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
hQIMA7pKPTYH5bqOAQ//X7WkMyLjQcBds79rCeEimF7h+lRlo8l4UC11ju+As/Im
|
|
||||||
EmHZ93fvTJp/hE9F75sEFUyUDlGOPUOOJHyOiOJW9gZAwxhlMIjYXzXONxKZZar1
|
|
||||||
cznWwEjTd7GLjlKNqZt5AmGDTyXOgMGeH5anjXmsP4veXHIZBXD6nXqM0cVUqZjy
|
|
||||||
KpliXjRaPhrus6aWjzf1owolBaIQL4CoUvr5APAV/tqkSBC0BZ3AQA5mQa76HtMm
|
|
||||||
tx0+9MV7F/A7UVY45Jk7jUMhzhe6BQPGG6j1Z8UXhmAHDC30IseP6/vSUmzjN8nX
|
|
||||||
hF4aeALd78FUNE9H26eKJUxHI/aAsZMRaTNKwgoWHUqAwwqQbzdIYl9+7rSgGCRl
|
|
||||||
CEDdan++XQ4ML6SAJvBMxFDyrzafQ/GXnoK5YsnprKDw9sAe2WPgoBqgQ5YZaRJ8
|
|
||||||
NPEcvKA5rLa6tlW9S4tcn3uceteCQ9AuDd0YByOpHsTrnWlCcfgKeDo4LD3Pthcl
|
|
||||||
J2mCAIqXyh9tCUIpAPREjpZMu3CVYxHrN8ZXmcRa65Pk9MnQeYh1HXMd5Cswwc/K
|
|
||||||
GRP3XxNBK6clHQmRHEawiAJKWi9VqC7F/nbZY0FTRecU+yMiRtnbXyG2/P4KwFx4
|
|
||||||
/NQTJ225cpoQwo2S5ParMqoLY8UGJSidngcxdvFrExCfSg0OZtubSxRt8CdoOzvU
|
|
||||||
aAEJAhCtYGBG6qL7HHoDkDGlDX1tOcxjCaqGxzQLtZ9P+UFaGHYjWKzmgRjfCQdm
|
|
||||||
DvCMpekLpiiNoDF0DkkfDiTyToiytDpnXqP3gqoJ1oR4S5qd45dDSmtXItt47oAt
|
|
||||||
OgX1Jt4h7NPp
|
|
||||||
=H5Kw
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
|
|
||||||
- created_at: "2024-09-26T20:33:22Z"
|
|
||||||
enc: |-
|
|
||||||
-----BEGIN PGP MESSAGE-----
|
|
||||||
|
|
||||||
hQIMA51kG++kLewoAQ/9FigGY5nukmRh6vcgwQgZDdwrnKjhztHc5UEP+SRNAGr7
|
|
||||||
Sp/6DkmRhi5ywmAN8rdMCNGO/9BCcuTGLwLZXP23si1W077NdvExqzVzZdMHo1xi
|
|
||||||
JLNnzSpvduh99nNFj6q/2mS4PlMiPM0uMm5SlHQexoJBBEC7FA66NvrpCrTXahKv
|
|
||||||
v/I+vX6HY8WuhDuril5fbv169DyKSJeEa2FR7Gp37AezmGqDsFMvIL5DSkRGliFz
|
|
||||||
R1xod9zfwFIayaDN36Zc9IaHhk10k6Nszsg3YreR8nrjZLnG3C3XzGS5qeE485hf
|
|
||||||
dXm8ShxTAO3dZMmUK+XkOQdGXGMfzwzr8u7ddDbrFWeG9UBoE26jV6y3iIRe4VYj
|
|
||||||
9np4yZR8j3dxmkNdHXlvrWxy+qkWXml1nZ+M23+SuoV4beloFvujNxtYDrZYSNlA
|
|
||||||
bSrM5bk/D1aS836E8B+mT45Fbw9I825mXR+WVS13RNKdVrA3AF9epwJjWoIRumLC
|
|
||||||
ZogJ2lH35Aj77ytKw8JJB1nMvKNLD27MHETdmP+QaM08YjjywDa9iWYSKXiTIxur
|
|
||||||
IbU6Vtq01xHk1T9gqgc+ovwKOHxm8kKD74AbEsBn88pgp9a+yL1YfDTgTEVmd9a4
|
|
||||||
OrCYfVRqSw5PwZPonGiU+S65PEagMa4FGo/XUy6sqtcrpMdiHRG1AE+xL9780DHS
|
|
||||||
XgEJtwphTlky5kTI27xJOTbzBaYRcCdYf+E831/BGxaEzl9OzBGlfaIUHfPGJNBm
|
|
||||||
wkINDUeyj1aPkyMc+alvadAE3QhETRJ3RcpjIv0+Jc7LcsfSHE1BlNHjCYhJq4E=
|
|
||||||
=TaW0
|
|
||||||
-----END PGP MESSAGE-----
|
|
||||||
fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
|
|
||||||
encrypted_regex: ^(data|stringData)$
|
|
||||||
version: 3.9.0
|
|
||||||
|
|
@ -45,13 +45,18 @@ spec:
|
||||||
redirectTo:
|
redirectTo:
|
||||||
port: websecure
|
port: websecure
|
||||||
|
|
||||||
|
providers:
|
||||||
|
kubernetesCRD:
|
||||||
|
allowCrossNamespace: true
|
||||||
|
|
||||||
# This is needed in order to properly forward the real ip to each service
|
# This is needed in order to properly forward the real ip to each service
|
||||||
# There are likely better ways of handling that, but for now this works
|
# There are likely better ways of handling that, but for now this works
|
||||||
hostNetwork: true
|
# TODO(Tim): Figure out how to properly forward the IP
|
||||||
service:
|
# hostNetwork: true
|
||||||
spec:
|
# service:
|
||||||
externalTrafficPolicy: Local
|
# spec:
|
||||||
updateStrategy:
|
# externalTrafficPolicy: Local
|
||||||
rollingUpdate:
|
# updateStrategy:
|
||||||
maxUnavailable: 2
|
# rollingUpdate:
|
||||||
maxSurge: 0
|
# maxUnavailable: 2
|
||||||
|
# maxSurge: 0
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user