Traefik
The configuration templates shown below apply to both single-application and domain-level forward auth.
info
example-outpost is used as a placeholder for the outpost name. authentik.company is used as a placeholder for the authentik install. app.company is used as a placeholder for the external domain for the application. outpost.company is used as a placeholder for the outpost. When using the embedded outpost, this can be the same as authentik.company
- Standalone traefik
- docker-compose
- Ingress
http:
middlewares:
authentik:
forwardAuth:
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
routers:
default-router:
rule: "Host(`app.company`)"
middlewares:
- authentik
priority: 10
service: app
default-router-auth:
rule: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
service: authentik
services:
app:
loadBalancer:
servers:
- url: http://ipp.internal
authentik:
loadBalancer:
servers:
- url: http://outpost.company:9000/outpost.goauthentik.io
version: "3.7"
services:
traefik:
image: traefik:v2.2
container_name: traefik
volumes:
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 80:80
command:
- "--api"
- "--providers.docker=true"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
authentik-proxy:
image: ghcr.io/goauthentik/proxy
ports:
- 9000:9000
- 9443:9443
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: "false"
AUTHENTIK_TOKEN: token-generated-by-authentik
# Starting with 2021.9, you can optionally set this too
# when authentik_host for internal communication doesn't match the public URL
# AUTHENTIK_HOST_BROWSER: https://external-domain.tld
labels:
traefik.enable: true
traefik.port: 9000
traefik.http.routers.authentik.rule: Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)
# `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/outpost.goauthentik.io/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version
restart: unless-stopped
whoami:
image: containous/whoami
labels:
traefik.enable: true
traefik.http.routers.whoami.rule: Host(`app.company`)
traefik.http.routers.whoami.middlewares: authentik@docker
restart: unless-stopped
Create a middleware:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: authentik
spec:
forwardAuth:
address: http://outpost.company:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
Add the following settings to your IngressRoute
By default traefik does not allow cross-namespace references for middlewares:
See here to enable it.
spec:
routes:
- kind: Rule
match: "Host(`app.company`)"
middlewares:
- name: authentik
namespace: authentik
priority: 10
services: # Unchanged
# This part is only required for single-app setups
- kind: Rule
match: "Host(`app.company`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services:
- kind: Service
# Or, to use an external Outpost, create an ExternalName service and reference that here.
# See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
name: ak-outpost-example-outpost
port: 9000