Tuesday 27 August 2019

Traefik + Authelia on Kubernetes

I have recently been really getting into Kubernetes and have found it to be an amazing Container Orchestration product after dabbling with Docker for a while.  For those of you who aren't familiar with it, visit the Kubernetes official page.

Traefik is an edge router for Kubernetes that is fairly easy to use and setup within a Kubernetes cluster.  If you are not familiar with this, visit the Traefik official page.

Authelia is a cloud ready multi-factor authentication product and gives the ability to front end Authenticate such things as Prometheus or Alertmanager and bind them to LDAP groups/users.  Visit the Authelia official page for more information.

The main point of this article was there was no article on using Traefik + Authelia on Kubernetes.  The examples mainly point to using NGINX as the ingress traffic manager.  The main thing to note is that you need the following on your Ingress Config (note the annotations section) for whatever service you are publishing, the following example is the ingress config that I use to publish prometheus:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: prometheus
  namespace: monitoring
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/redirect-entry-point: ssl
    traefik.ingress.kubernetes.io/redirect-permanent: "true"
    ingress.kubernetes.io/auth-type: forward
    ingress.kubernetes.io/auth-url: http://authelia.test.com/api/verify?rd=                  https://authelia.test.com/%23/
spec:
  rules:
  - host: prometheus.test.com
    http:
      paths:
      - backend:
          serviceName: prometheus
          servicePort: http


The redirect-entry-point and redirect-permanent means that standard users cannot hit the prometheus page on HTTP.  Authelia has a rule that if you authenticate to a non SSL site, it will fail the authentication by saying the site is not secure.  The auth-url setting needs the %23 for the hash character otherwise it doesnt work.  In your Authelia config, ensure that you have a bypass for the authelia page