Pomerium OSS + LogTo in k3s (Traefik)

What happened?

I have recently installed LogTo into my cluster and configured a few basics. Right now, my k3s cluster is not exposed to the public - I want to figure out authentication and authorization beforehand.

The grand idea is:

  • Local network can always access everything (192.168.1.0/24 at home and 100.64.0.0/24 via Headscale/Tailscale VPN)
  • Friends on a certain Discord Server (Guild) can access resources shared to them as “group” - this should be handled through LogTo.
  • A generic Login I can use - already exists in LogTo.

What did you expect to happen?

While reading through the Helm Chart values, I was somewhat confused as to how I should configure Traefik. So, I have it and cert-manager set up to use Let’s Encrypt with my domain (*.birb.it) through DNS challenge - so, everything in the cluster that wants a cert, can get one. No problem.
But what I struggled with is figuring out how to properly configure Promerium as an auth middleware for Traefik.

There is a ForwardAuth middleware in Traefik - but I couldn’t figure out how to bind that, Promerium and OIDC creds from LogTo, together into the Helm values.

How’d it happen?

Nothing has happened yet :slight_smile:

What’s your environment like?

  • Pomerium version (retrieve with pomerium --version): None installed yet; prepwork!
  • Server Operating System/Architecture/Cloud: Linux, arm64, k3s v1.29.3+k3s1

What’s your config.yaml?

I will be using k3s’ HelmChart API object, which embeds the values.yaml.

What did you see in the logs?

None, yet.

Additional context

I am still sort-of new to kubernetes; the only auth-proxy I ever used was based on Caddy (caddy-security aka. authp) and I used it’s Discord integration back then to set things up. But, I am trying to get away from my salad of docker-compose deployments and migrate to k3s across all my servers. So, I need authN/-Z - and I want to use Promerium as the layer inbetween where this feature is not available in the app itself (i.e. i2pd’s dashboard) or to generally secure certain resources away to only be reachable in the first place by users that really should (projects in alpha state or alike).

Thank you and kind regards,
Ingwie

Pomerium no longer supports forwardauth with traefik. It’s designed to be an edge proxy. For Kubernetes we have an ingress controller which will automatically convert ingress definitions to Pomerium routes. The ingress controller works with k3s.

1 Like

Ohh I see! So I would have to somehow configure Traefik (ingress) → Pomerium (ingress) → ?

This may be possible but its tricky to configure. Ideally traefik isn’t used at all. Is there a feature from traefik that you need?