{"id":26411007,"url":"https://github.com/edgeflare/traefikopa","last_synced_at":"2026-01-18T02:51:31.916Z","repository":{"id":187680260,"uuid":"677365676","full_name":"edgeflare/traefikopa","owner":"edgeflare","description":"Open Policy Agent (OPA) Authorization middleware for Traefik","archived":false,"fork":false,"pushed_at":"2023-08-19T05:49:10.000Z","size":5,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-07-30T19:43:52.259Z","etag":null,"topics":["opa","open-policy-agent","traefik","traefik-plugin"],"latest_commit_sha":null,"homepage":"https://plugins.traefik.io/plugins/64e05a6b4a44b52408b09eac/opa-authorization-middleware-for-traefik","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/edgeflare.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-08-11T11:47:41.000Z","updated_at":"2024-06-30T21:27:37.000Z","dependencies_parsed_at":null,"dependency_job_id":"30619a54-5ff5-4fc6-a29e-ace2e0e6e912","html_url":"https://github.com/edgeflare/traefikopa","commit_stats":null,"previous_names":["edgeflare/traefikopa"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edgeflare%2Ftraefikopa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edgeflare%2Ftraefikopa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edgeflare%2Ftraefikopa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edgeflare%2Ftraefikopa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/edgeflare","download_url":"https://codeload.github.com/edgeflare/traefikopa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244102780,"owners_count":20398386,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["opa","open-policy-agent","traefik","traefik-plugin"],"created_at":"2025-03-17T20:20:11.053Z","updated_at":"2026-01-18T02:51:31.873Z","avatar_url":"https://github.com/edgeflare.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Open Policy Agent (OPA) Authorization middleware for Traefik\n\n\u003e ### This plugin is useful if the full request context is needed for evaluating OPA policy decision. Traefik forwardAuth middleware doesn't preserve the request entirely, stripping off, for example, the `body`, before forwarding to the authz server. If you can NOT modify Traefik installation, you might checkout the simpler [traefik-opa-proxy](https://github.com/edgeflare/traefik-opa-proxy) which has some limitations, though.\n\n## Installtion\n\n### Using Helm\n\n```yaml\napiVersion: helm.cattle.io/v1\nkind: HelmChart # or HelmChartConfig\nmetadata:\n  name: traefik\n  namespace: kube-system\nspec:\n  valuesContent: |-\n    additionalArguments:\n      - \"--experimental.plugins.opa.moduleName=github.com/edgeflare/traefikopa\"\n      - \"--experimental.plugins.opa.version=v0.0.1\"\n#     - others-additional-arguments\n```\n\n### Using command line arguments\n\n```sh\ntraefik \\\n  --experimental.plugins.opa.moduleName=github.com/edgeflare/traefikopa \\\n  --experimental.plugins.opa.version=v0.0.1\n```\n\n## Usage in Kubernetes\n\n```yaml\napiVersion: traefik.containo.us/v1alpha1\nkind: Middleware\nmetadata:\n  name: opa-authz\n  namespace: kube-system\nspec:\n  plugin:\n    opa:\n      URL: http://opa.kube-system:8181/v1/data/httpapi/authz\n      # Assuming OPA is installed in kube-system namespace\n      # and exposed via a service named opa on port 8181\n---\napiVersion: traefik.containo.us/v1alpha1\nkind: IngressRoute\nmetadata:\n  name: yourapp.example.com\n  namespace: demo\nspec:\n  entryPoints:\n  - web\n  - websecure\n  routes:\n  - match: Host(`yourapp.example.com`) \n    kind: Rule\n    services:\n    - name: yourapp-service\n      port: 80\n    middlewares:\n    - name: opa-authz\n  tls: # optional\n    secretName: yourapp.example.com-tls\n---\n# Use either IngressRoute, or Ingress\nkind: Ingress\nmetadata:\n  name: yourapp.example.com\n  namespace: demo\n  annotations:\n    kubernetes.io/ingress.class: traefik\n    traefik.ingress.kubernetes.io/router.middlewares: kube-system-opa-authz@kubernetescrd\nspec:\n  rules:\n  - host: yourapp.example.com\n    http:\n      paths:\n      - backend:\n          service:\n            name: yourapp-service\n            port:\n              number: 80\n        path: /\n```\n\nSee [example](https://github.com/edgeflare/traefik-opa-proxy/tree/master/example) for Kubernetes deployment manifests.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedgeflare%2Ftraefikopa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fedgeflare%2Ftraefikopa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedgeflare%2Ftraefikopa/lists"}