Using kubernetes traefik.containo.us with oathkeeper.ory.sh
TypeScriptTo deploy Traefik with Ory Oathkeeper on Kubernetes using Pulumi, we'll need to create multiple resources:
- Traefik: This is an open-source Edge Router that makes publishing your services easy. It receives requests on behalf of your system and finds out which components are responsible for handling them.
- Ory Oathkeeper: It's an identity and access proxy that operates at the edge, authorizing HTTP requests based on a set of rules. It can validate, rewrite, and transform incoming HTTP(s) requests and outgoing HTTP(s) responses.
The Pulumi program below will set up these components with a basic configuration. To understand the steps, we'll create a Pulumi TypeScript program with appropriate Kubernetes resources deployed on a Kubernetes cluster.
We will define Kubernetes manifests as Pulumi code for both Traefik and Oathkeeper, assuming that you have a Kubernetes cluster up and running and your
kubectl
is configured correctly. In this program, we're going to use high-level abstractions provided by the Pulumi Kubernetes library.Firstly, we need to import the necessary Pulumi Kubernetes library. We will not be using a specific Pulumi package for Traefik or Oathkeeper; instead, we'll use the general Kubernetes package, which allows us to define Kubernetes resources with their YAML or JSON manifests directly within Pulumi.
Here is the Pulumi TypeScript program:
import * as k8s from "@pulumi/kubernetes"; const namespaceName = "ingress"; // Create a namespace for our ingress resources const ns = new k8s.core.v1.Namespace(namespaceName, { metadata: { name: namespaceName }, }); // Deploy Traefik as an Ingress controller const traefik = new k8s.helm.v3.Chart("traefik", { chart: "traefik", namespace: namespaceName, fetchOpts:{ repo: "https://helm.traefik.io/traefik", }, }, { dependsOn: [ns] }); // Oathkeeper deployment and service const oathkeeper = new k8s.yaml.ConfigFile("oathkeeper", { file: "https://raw.githubusercontent.com/ory/k8s/master/helm/charts/oathkeeper/values.yaml", // Replace with the actual path to Oathkeeper's values.yaml namespace: namespaceName, }, { dependsOn: [traefik] }); // Expose Oathkeeper through Traefik using an IngressRule const oathkeeperIngress = new k8s.networking.v1.Ingress("oathkeeper-ingress", { metadata: { namespace: namespaceName, annotations: { "kubernetes.io/ingress.class": "traefik", "traefik.ingress.kubernetes.io/router.middlewares": "oathkeeper-auth@kubernetescrd", // Additional annotations can be added here }, }, spec: { rules: [{ http: { paths: [{ path: "/auth", pathType: "Prefix", backend: { service: { name: "oathkeeper", port: { number: 443 }, }, }, }], }, }], }, }, { dependsOn: [oathkeeper] }); export const traefikIngressUrl = traefik.getResourceProperty("v1/Service", "traefik", "status").apply(status => status.loadBalancer.ingress[0].ip);
Explanation:
- We first import the Kubernetes package from Pulumi to interact with our Kubernetes cluster.
- Create a Kubernetes namespace where all our resources will be deployed.
- Deploy Traefik from its official Helm chart repository. Helm charts are a way to package up a set of predefined Kubernetes resources.
- Deploy Ory Oathkeeper using a YAML configuration file from the Ory GitHub repository. (Note that this isn't the actual values file; you will need to replace this URL with the actual values file URL)
- Define an Ingress resource to manage external access to Ory Oathkeeper, routing the traffic through Traefik.
- Annotate the Ingress resource to specify its class as Traefik and attach any middlewares required. In this case, we have added a placeholder middleware annotation, which you would configure with your actual middleware details.
- Export the ingress IP to access Traefik externally once deployed.
Remember, this is a basic setup. The actual implementation may require you to define Middleware CRDs for Ory Oathkeeper, manage certificates for HTTPS, and configure Oathkeeper access rules. Pulumi's Kubernetes package is flexible enough to let you define all of these additional resources as needed.