https://github.com/edgeflare/traefikopa

Open Policy Agent (OPA) Authorization middleware for Traefik
https://github.com/edgeflare/traefikopa

opa open-policy-agent traefik traefik-plugin

Last synced: 5 months ago
JSON representation

Open Policy Agent (OPA) Authorization middleware for Traefik

• Host: GitHub
• URL: https://github.com/edgeflare/traefikopa
• Owner: edgeflare
• Created: 2023-08-11T11:47:41.000Z (almost 3 years ago)
• Default Branch: master
• Last Pushed: 2023-08-19T05:49:10.000Z (almost 3 years ago)
• Last Synced: 2024-07-30T19:43:52.259Z (almost 2 years ago)
• Topics: opa, open-policy-agent, traefik, traefik-plugin
• Language: Go
• Homepage: https://plugins.traefik.io/plugins/64e05a6b4a44b52408b09eac/opa-authorization-middleware-for-traefik
• Size: 4.88 KB
• Stars: 3
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# Open Policy Agent (OPA) Authorization middleware for Traefik

> ### This plugin is useful if the full request context is needed for evaluating OPA policy decision. Traefik forwardAuth middleware doesn't preserve the request entirely, stripping off, for example, the `body`, before forwarding to the authz server. If you can NOT modify Traefik installation, you might checkout the simpler [traefik-opa-proxy](https://github.com/edgeflare/traefik-opa-proxy) which has some limitations, though.

## Installtion

### Using Helm

```yaml

apiVersion: helm.cattle.io/v1

kind: HelmChart # or HelmChartConfig

metadata:

  name: traefik

  namespace: kube-system

spec:

  valuesContent: |-

    additionalArguments:

      - "--experimental.plugins.opa.moduleName=github.com/edgeflare/traefikopa"

      - "--experimental.plugins.opa.version=v0.0.1"

#     - others-additional-arguments

```

### Using command line arguments

```sh

traefik \

  --experimental.plugins.opa.moduleName=github.com/edgeflare/traefikopa \

  --experimental.plugins.opa.version=v0.0.1

```

## Usage in Kubernetes

```yaml

apiVersion: traefik.containo.us/v1alpha1

kind: Middleware

metadata:

  name: opa-authz

  namespace: kube-system

spec:

  plugin:

    opa:

      URL: http://opa.kube-system:8181/v1/data/httpapi/authz

      # Assuming OPA is installed in kube-system namespace

      # and exposed via a service named opa on port 8181

---

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

  name: yourapp.example.com

  namespace: demo

spec:

  entryPoints:

  - web

  - websecure

  routes:

  - match: Host(`yourapp.example.com`) 

    kind: Rule

    services:

    - name: yourapp-service

      port: 80

    middlewares:

    - name: opa-authz

  tls: # optional

    secretName: yourapp.example.com-tls

---

# Use either IngressRoute, or Ingress

kind: Ingress

metadata:

  name: yourapp.example.com

  namespace: demo

  annotations:

    kubernetes.io/ingress.class: traefik

    traefik.ingress.kubernetes.io/router.middlewares: kube-system-opa-authz@kubernetescrd

spec:

  rules:

  - host: yourapp.example.com

    http:

      paths:

      - backend:

          service:

            name: yourapp-service

            port:

              number: 80

        path: /

```

See [example](https://github.com/edgeflare/traefik-opa-proxy/tree/master/example) for Kubernetes deployment manifests.