This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/docs/providers/proxy/_nginx_ingress.md
Jens L e40a0b1f8b
website/docs: add notice for nginx ingress configuration requirement (#7027)
* website/docs: add notice for nginx ingress configuration requirement

https://github.com/goauthentik/infrastructure/pull/574
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* Update website/docs/providers/proxy/_nginx_ingress.md

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Jens L. <jens@beryju.org>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens L. <jens@beryju.org>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
2023-10-02 16:04:26 +02:00

2 KiB

Create a new ingress for the outpost

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: authentik-outpost
spec:
    rules:
        - host: app.company
          http:
              paths: /outpost.goauthentik.io
              pathType: Prefix
              backend:
                  # Or, to use an external Outpost, create an ExternalName service and reference that here.
                  # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
                  service:
                      name: ak-outpost-example-outpost
                      port:
                          number: 9000

This ingress handles authentication requests, and the sign-in flow.

Add these annotations to the ingress you want to protect

:::warning This configuration requires that you enable allow-snippet-annotations, for example by setting controller.allowSnippetAnnotations to true in your helm values for the ingress-nginx installation. :::

metadata:
    annotations:
        # This should be the in-cluster DNS name for the authentik outpost service
        # as when the external URL is specified here, nginx will overwrite some crucial headers
        nginx.ingress.kubernetes.io/auth-url: |-
            http://ak-outpost-example.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx            
        # If you're using domain-level auth, use the authentication URL instead of the application URL
        nginx.ingress.kubernetes.io/auth-signin: |-
            https://app.company/outpost.goauthentik.io/start?rd=$escaped_request_uri            
        nginx.ingress.kubernetes.io/auth-response-headers: |-
            Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid            
        nginx.ingress.kubernetes.io/auth-snippet: |
            proxy_set_header X-Forwarded-Host $http_host;