Pomerium OSS + LogTo in k3s (Traefik)

IngwiePhoenix · May 8, 2024, 10:13am

What happened?

I have recently installed LogTo into my cluster and configured a few basics. Right now, my k3s cluster is not exposed to the public - I want to figure out authentication and authorization beforehand.

The grand idea is:

Local network can always access everything (192.168.1.0/24 at home and 100.64.0.0/24 via Headscale/Tailscale VPN)
Friends on a certain Discord Server (Guild) can access resources shared to them as “group” - this should be handled through LogTo.
A generic Login I can use - already exists in LogTo.

What did you expect to happen?

While reading through the Helm Chart values, I was somewhat confused as to how I should configure Traefik. So, I have it and cert-manager set up to use Let’s Encrypt with my domain (*.birb.it) through DNS challenge - so, everything in the cluster that wants a cert, can get one. No problem.
But what I struggled with is figuring out how to properly configure Promerium as an auth middleware for Traefik.

There is a ForwardAuth middleware in Traefik - but I couldn’t figure out how to bind that, Promerium and OIDC creds from LogTo, together into the Helm values.

How’d it happen?

Nothing has happened yet

What’s your environment like?

Pomerium version (retrieve with pomerium --version): None installed yet; prepwork!
Server Operating System/Architecture/Cloud: Linux, arm64, k3s v1.29.3+k3s1

What’s your config.yaml?

I will be using k3s’ HelmChart API object, which embeds the values.yaml.

What did you see in the logs?

None, yet.

Additional context

I am still sort-of new to kubernetes; the only auth-proxy I ever used was based on Caddy (caddy-security aka. authp) and I used it’s Discord integration back then to set things up. But, I am trying to get away from my salad of docker-compose deployments and migrate to k3s across all my servers. So, I need authN/-Z - and I want to use Promerium as the layer inbetween where this feature is not available in the app itself (i.e. i2pd’s dashboard) or to generally secure certain resources away to only be reachable in the first place by users that really should (projects in alpha state or alike).

Thank you and kind regards,
Ingwie

calebdoxsey · May 9, 2024, 1:09pm

Pomerium no longer supports forwardauth with traefik. It’s designed to be an edge proxy. For Kubernetes we have an ingress controller which will automatically convert ingress definitions to Pomerium routes. The ingress controller works with k3s.

IngwiePhoenix · May 9, 2024, 2:03pm

Ohh I see! So I would have to somehow configure Traefik (ingress) → Pomerium (ingress) → ?

calebdoxsey · May 9, 2024, 6:34pm

This may be possible but its tricky to configure. Ideally traefik isn’t used at all. Is there a feature from traefik that you need?

Topic		Replies	Views
TrueNAS Scale / TrueCharts Integrations self-hosted	2	555	August 14, 2023
Announcing Pomerium v0.27.1 Announcements	0	8	October 1, 2024
Pomerium v0.16 is here! Announcements	0	272	January 12, 2022
On Implementing Pomerium Without Forward Auth Support	1	446	December 20, 2021
Fun and Easy SSO for Prometheus Community Showcase	0	339	May 10, 2022