This plugin is useful if the full request context is needed for evaluating OPA policy decision. Traefik forwardAuth middleware doesn't preserve the request entirely, stripping off, for example, the
body, before forwarding to the authz server. If you can NOT modify Traefik installation, you might checkout the simpler traefik-opa-proxy which has some limitations, though.
apiVersion: helm.cattle.io/v1kind: HelmChart # or HelmChartConfigmetadata:name: traefiknamespace: kube-systemspec:valuesContent: |-additionalArguments:- "--experimental.plugins.opa.moduleName=github.com/edgeflare/traefikopa"- "--experimental.plugins.opa.version=v0.0.1"# - others-additional-arguments
traefik \--experimental.plugins.opa.moduleName=github.com/edgeflare/traefikopa \--experimental.plugins.opa.version=v0.0.1
apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: opa-authznamespace: kube-systemspec:plugin:opa:URL: http://opa.kube-system:8181/v1/data/httpapi/authz# Assuming OPA is installed in kube-system namespace# and exposed via a service named opa on port 8181---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: yourapp.example.comnamespace: demospec:entryPoints:- web- websecureroutes:- match: Host(`yourapp.example.com`)kind: Ruleservices:- name: yourapp-serviceport: 80middlewares:- name: opa-authztls: # optionalsecretName: yourapp.example.com-tls---# Use either IngressRoute, or Ingresskind: Ingressmetadata:name: yourapp.example.comnamespace: demoannotations:kubernetes.io/ingress.class: traefiktraefik.ingress.kubernetes.io/router.middlewares: kube-system-opa-authz@kubernetescrdspec:rules:- host: yourapp.example.comhttp:paths:- backend:service:name: yourapp-serviceport:number: 80path: /
See example for Kubernetes deployment manifests.