Kubernetes config for Traefik

[paulhanssen]

Hello (again),

How does one get the correct redirect_uri for tinyauth and traefik in Kubernetes?

I have the following Traefik middlware for Tinyauth v4.1.0 (that shows in the Traefik dashboard):

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: tinyauth
  namespace: tinyauth
spec:
  forwardAuth:
    address: https://tinyauth.example.com/api/auth/traefik
    trustForwardHeader: true

I then configure the ingress annotations for whoami, setting up traefik and the middleware:

  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.middlewares: tinyauth-tinyauth@kubernetescrd

(traefik is configured to accept cross-namespace middlewares)

Then I add the following common labels in my whoami config (helm):

  tinyauth.apps.whoami.users.allow: xyzuser
  tinyauth.apps.whoami.config.domain: whoami.example.com

This shows as a label on the service:

$ kubectl get svc --show-labels -n whoami

NAME     TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE   LABELS
whoami   ClusterIP   10.4x.yy.zzz   <none>        80/TCP    8d    app.kubernetes.io/component=whoami,app.kubernetes.io/instance=whoami,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/name=whoami,app.kubernetes.io/version=1.11.0,helm.sh/chart=whoami-6.0.0,tinyauth.apps.whoami.config.domain=whoami.example.com,tinyauth.apps.whoami.users.allow=xyzuser

But then when I point my browser to whoami.example.com, I get a re-directed login of

https://tinyauth.example.com//login?redirect_uri=https%3A%2F%2Ftinyauth.example.com

Please, can you tell me what I'm missing?

I feel I'm close, just missing that last bit about how to get the re-direct and tinyauth labels working. Any help would be appreciated :) Cheers!

[paulhanssen]

Hi, I'm going to close this one as I'm going to try doing it a different way with the traefik forward-auth (plugin), rather than using Tinyauth for forward-auth (to Pocket ID).

The tinyauth annotations don't belong in Kubernetes, you would just create a separate middleware for each different client app in Pocket ID and manage the groups in Pocket.

Once again, thanks for such a great product. Cheers!

[steveiliop56]

The issue in your config was the forward auth address. You should not use the domain there, the connection must be internal. This is because Traefik will not trust the headers and overwrite them with the ones from the domain of Tinyauth resulting in the redirect URI pointing to Tinyauth itself. By using an internal connection (HTTP is not an issue since it's internal), you can ensure Tinyauth receives the correct headers.

The tinyauth annotations don't belong in Kubernetes, you would just create a separate middleware for each different client app in Pocket ID and manage the groups in Pocket.

Not sure what you mean by this. Tinyauth wasn't really designed for Kubernetes but I am open for suggestions on how to improve support.

[paulhanssen]

Thanks for the reply, much appreciated!... Mainly, I was looking for a way to do proxy auth for services that had no inbuilt authentication, per: https://pocket-id.org/docs/guides/proxy-services.

I started with TinyAuth, and then tried other options. Cheers!

[contre95]

@paulhanssen I believe I was trying to do the same but my understanding is that Tinyauth access control via labels such as tinyauth.apps.[app].oauth.groups are only supported in docker or dockerlike environments and not in Kubernetes. Therefore, if running in Kubernetes with Pocket ID, authorization is not possible with Tinyauth + Kubernetes. I'm assuming this since in order to work Tinyauth requires you to mount the Docker socket and in K8S that's not possible always, I tried creating a Roel and Service Account and everything but it looks like Tinyauth just doesn't know how to read label in Kubernetes.

The closes I could get was setting env variables such as OAUTH_WHITELIST but the outcome is the same as assigning or not assigning the group that has the Tinyauth OIDC app integrated in Pocket ID, so why bother.
I believe I will try going through your route of setting <pocket-id> <--> <traefik> and use Tinyauth for general server authentication and that's it until it supports Kubernetes access control via labels.

EDIT:
I'm working on adding label support for k8s #627