docs: Add Traefik + Kubernetes example (#1411)

examples/traefik-ingress/README.md

@@ -0,0 +1,19 @@
+# Pomerium as forward-auth provider for Traefik on Kubernetes
+
+Run this demo locally on your kubernetes capable workstation or:
+    - use `kubectl port-forward service/traefik 80:80 443:443`
+    - replace `localhost.pomerium.io` with your own domain
+
+## Includes
+
+- Authentication and Authorization managed by pomerium
+- Routing / reverse proxying handled by traefik
+- Installation using upstream `helm` charts
+
+## How
+
+- Update `values/pomerium.yaml` for your e-mail address, if not using gmail/google.
+- Replace IdP secrets in `values/pomerium.yaml`.
+- Run `./add_repos.sh` from this directory.
+- Run `./install.sh` from this directory.
+- Navigate to `https://hello.localhost.pomerium.io`

examples/traefik-ingress/add_repos.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -x
+
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm repo add pomerium https://helm.pomerium.io
+helm repo add traefik https://containous.github.io/traefik-helm-chart

examples/traefik-ingress/crds/middleware.yaml

@@ -0,0 +1,10 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: auth
+spec:
+  forwardAuth:
+    address: https://pomerium-proxy.pomerium
+    tls:
+      insecureSkipVerify: true
+    trustForwardHeader: true

examples/traefik-ingress/install.sh

@@ -0,0 +1,31 @@
+#!/bin/bash -x
+
+kubectl create namespace pomerium
+
+# Create shared TLS secret
+kubectl create secret tls wildcard-tls \
+    --namespace pomerium \
+    --cert=_wildcard.localhost.pomerium.io.pem \
+    --key=_wildcard.localhost.pomerium.io-key.pem
+
+# Install Traefik helm chart
+helm upgrade --install --wait \
+    --namespace pomerium \
+    traefik traefik/traefik \
+    --values values/traefik.yaml
+
+# Install Pomerium helm chart
+helm upgrade --install --wait \
+    --namespace pomerium \
+    pomerium pomerium/pomerium \
+    --values values/pomerium.yaml
+
+# Create middleware
+kubectl --namespace pomerium apply -f crds/middleware.yaml
+
+# Install hello app
+helm upgrade --install --wait \
+    --namespace pomerium \
+    --version 6.2.1 \
+    hello bitnami/nginx \
+    --values values/hello.yaml

examples/traefik-ingress/values/hello.yaml

@@ -0,0 +1,15 @@
+ingress:
+  enabled: true
+  hosts:
+    - name: hello.localhost.pomerium.io
+      path: /
+
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: pomerium-auth@kubernetescrd
+    traefik.ingress.kubernetes.io/router.tls: "true"
+  tls:
+    - hosts:
+        - hello.localhost.pomerium.io
+      secretName: wildcard-tls
+service:
+  type: ClusterIP

examples/traefik-ingress/values/pomerium.yaml

@@ -0,0 +1,24 @@
+authenticate:
+  idp:
+    provider: REPLACEME
+    url: REPLACEME
+    clientID: REPLACEME
+    clientSecret: REPLACEME
+
+config:
+  rootDomain: localhost.pomerium.io
+  sharedSecret: R0+XRoGVpcoi4PfB8tMlvnrS5XUasO+D1frAEdYcYjs=
+  cookieSecret: FLPCOQKigK5EQnyXlBhchl5fgzNKqi3ubtvOGt477Dg=
+  generateTLS: true
+  policy:
+    - from: https://hello.localhost.pomerium.io
+      to: http://hello-nginx
+      allowed_domains:
+        - gmail.com
+ingress:
+  annotations:
+    traefik.ingress.kubernetes.io/router.tls: "true"
+  secretName: wildcard-tls
+forwardAuth:
+  enabled: true
+  internal: true

examples/traefik-ingress/values/traefik.yaml

@@ -0,0 +1,3 @@
+additionalArguments:
+  - "--serverstransport.insecureskipverify=true"
+  - "--entryPoints.websecure.forwardedHeaders.insecure"