Using kubernetes traefik.io with oathkeeper.ory.sh
TypeScriptTo integrate Traefik with Oathkeeper in a Kubernetes cluster using Pulumi, we'll proceed with these steps:
- Deploy Traefik as an Ingress Controller using the Traefik Helm chart.
- Configure Oathkeeper as an authentication proxy which will be used by Traefik through Kubernetes services.
Deploying Traefik Ingress Controller
Traefik can be installed as an Ingress Controller using Helm and Pulumi's support for Kubernetes Helm charts. As an Ingress Controller, Traefik will manage external access to the services in the Kubernetes cluster, typically HTTP.
Configuring Oathkeeper
Oathkeeper by ORY is an Identity and Access Proxy (IAP) that authorizes HTTP requests based on sets of rules. To have Traefik forward authentication requests to Oathkeeper, we will deploy Oathkeeper also using a Helm chart, and then we will configure a service in Kubernetes for Traefik to communicate with Oathkeeper.
We'll use Pulumi's Kubernetes provider to orchestrate both applications in the cluster. Pulumi allows us to define our infrastructure in familiar languages such as TypeScript. The following program in TypeScript assumes you have a Kubernetes cluster already up and running, have Pulumi installed, and have configured your environment to communicate with your Kubernetes cluster.
Here is how you can set up Traefik with Oathkeeper in Kubernetes using Pulumi:
import * as k8s from "@pulumi/kubernetes"; import * as pulumi from "@pulumi/pulumi"; // Create a namespace for your ingress resources const ns = new k8s.core.v1.Namespace("ingress-namespace", { metadata: { // Change this name to something meaningful for your project. name: "ingress-system", }, }); // Deploy Traefik using the Helm Chart const traefik = new k8s.helm.v3.Chart("traefik", { namespace: ns.metadata.name, chart: "traefik", fetchOpts: { // This repository contains the Traefik helm chart repo: "https://helm.traefik.io/traefik", }, // Define values for the Helm chart's configuration values: { service: { annotations: { "traefik.ingress.kubernetes.io/router.middlewares": "oathkeeper-forward-auth@kubernetescrd", }, }, }, }, { dependsOn: ns }); // Deploy ORY Oathkeeper using its Helm Chart const oathkeeper = new k8s.helm.v3.Chart("oathkeeper", { namespace: ns.metadata.name, chart: "oathkeeper", fetchOpts: { // This repository contains the Oathkeeper helm chart repo: "https://k8s.ory.sh/helm/charts", }, // Values to configure Oathkeeper values: { // Provide custom configuration here }, }, { dependsOn: ns }); // Export the external IP of the Traefik Ingress to access it from outside export const traefikIngressIp = traefik.getResource("v1/Service", "ingress-namespace/traefik").status.loadBalancer.ingress[0].ip;
In this program:
- We define a new Kubernetes namespace specifically for our ingress resources.
- We deploy the Traefik Helm chart into our Kubernetes cluster. Traefik is configured with an annotation to use Oathkeeper as a middleware for request authentication.
- We deploy the Oathkeeper Helm chart, also in the same Kubernetes namespace.
- We export the load balancer IP address which can be used to reach the Traefik Ingress Controller.
Please note that this is a basic setup, and the values provided to the Helm charts (
values
field ofChartArgs
) are minimal. For a production setup, you will likely need to provide more configuration details depending on your specific requirements and environment, especially for Oathkeeper that would need actual rules to process the incoming requests.Remember to check the Helm charts documentation for Traefik and Oathkeeper to understand all the configuration options available to you. With Pulumi, you can automate the deployment of these services and provide a robust solution for managing ingress traffic and enforcing access policies in your Kubernetes cluster.