1. Answers
  2. Adding BasicAuth to services via Traefik middleware

How do I add BasicAuth to services via Traefik middleware?

In this guide, we will demonstrate how to secure services using Traefik middleware with BasicAuth in Pulumi. Traefik is a popular reverse proxy and load balancer that makes deploying microservices easy. BasicAuth is a simple authentication mechanism that requires a username and password to access services.

We will create a Kubernetes deployment for Traefik, configure a middleware for BasicAuth, and apply it to a service.

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Create a Kubernetes namespace
const namespace = new k8s.core.v1.Namespace("traefik-namespace", {
    metadata: { name: "traefik" },
});

// Deploy Traefik
const traefikDeployment = new k8s.apps.v1.Deployment("traefik-deployment", {
    metadata: {
        namespace: namespace.metadata.name,
        name: "traefik",
    },
    spec: {
        replicas: 1,
        selector: { matchLabels: { app: "traefik" } },
        template: {
            metadata: { labels: { app: "traefik" } },
            spec: {
                containers: [{
                    name: "traefik",
                    image: "traefik:v2.4",
                    ports: [
                        { name: "http", containerPort: 80 },
                        { name: "admin", containerPort: 8080 },
                    ],
                    args: [
                        "--api.insecure=true",
                        "--providers.kubernetescrd",
                        "--entrypoints.web.address=:80",
                        "--entrypoints.websecure.address=:443",
                    ],
                }],
            },
        },
    },
});

// Create a Traefik service
const traefikService = new k8s.core.v1.Service("traefik-service", {
    metadata: {
        namespace: namespace.metadata.name,
        name: "traefik",
    },
    spec: {
        selector: { app: "traefik" },
        ports: [
            { name: "http", port: 80, targetPort: "http" },
            { name: "admin", port: 8080, targetPort: "admin" },
        ],
        type: "LoadBalancer",
    },
});

// Create a middleware for BasicAuth
const basicAuthMiddleware = new k8s.apiextensions.CustomResource("basicauth-middleware", {
    apiVersion: "traefik.containo.us/v1alpha1",
    kind: "Middleware",
    metadata: {
        namespace: namespace.metadata.name,
        name: "basicauth",
    },
    spec: {
        basicAuth: {
            users: [
                "user:$(htpasswd -nb user password | base64)"
            ],
        },
    },
});

// Create a sample service to protect with BasicAuth
const appLabels = { app: "myapp" };
const deployment = new k8s.apps.v1.Deployment("myapp-deployment", {
    metadata: { namespace: namespace.metadata.name },
    spec: {
        replicas: 1,
        selector: { matchLabels: appLabels },
        template: {
            metadata: { labels: appLabels },
            spec: {
                containers: [{
                    name: "myapp",
                    image: "nginx",
                    ports: [{ containerPort: 80 }],
                }],
            },
        },
    },
});

const service = new k8s.core.v1.Service("myapp-service", {
    metadata: { namespace: namespace.metadata.name },
    spec: {
        selector: appLabels,
        ports: [{ port: 80 }],
    },
});

// Create an IngressRoute to use the middleware
const ingressRoute = new k8s.apiextensions.CustomResource("myapp-ingressroute", {
    apiVersion: "traefik.containo.us/v1alpha1",
    kind: "IngressRoute",
    metadata: {
        namespace: namespace.metadata.name,
        name: "myapp-ingressroute",
    },
    spec: {
        entryPoints: ["web"],
        routes: [{
            match: "Host(`myapp.local`)",
            kind: "Rule",
            services: [{ name: service.metadata.name, port: 80 }],
            middlewares: [{ name: basicAuthMiddleware.metadata.name }],
        }],
    },
});

Key Points:

  • We created a Kubernetes namespace for Traefik.
  • Deployed Traefik as a Kubernetes deployment and exposed it via a service.
  • Configured a Traefik middleware for BasicAuth.
  • Created a sample application and protected it using the BasicAuth middleware.
  • Configured an IngressRoute to apply the middleware to the sample application service.

Summary:

In this guide, we demonstrated how to secure services using Traefik middleware with BasicAuth in Pulumi. We deployed Traefik, configured a BasicAuth middleware, and applied it to a sample service using an IngressRoute. This setup ensures that the service is protected and requires authentication for access.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up