Envoy Gateway
Envoy Gateway is a Gateway API implementation. This means it has a relatively comprehensive integration option. Envoy Gateway is supported with Authelia v4.37.0 and higher via the Envoy proxy external authorization filter.
In addition to this configuration, it’s possible to configure the integration via OpenID Connect 1.0 which may be more desirable when you wish to share an ID Token or Access Token with a backend. See that guide here.
The Envoy Proxy documentation may also be useful with this ingress even though it’s not specific to Kubernetes.
Get started
It’s strongly recommended that users setting up Authelia for the first time take a look at our Get started guide. This takes you through various steps which are essential to bootstrapping Authelia.
Variables
Some of the values within this page can automatically be replaced with documentation variables.
Example
This example assumes that you have deployed an Authelia pod and you have configured it to be served on the URL
https://auth.example.com and
there is a Kubernetes Service with the name authelia in the default namespace with TCP port 80 configured to route
to the Authelia pod’s HTTP port and that your cluster is configured with the default DNS domain name of cluster.local.
Security Policy
The following Security Policy examples assume the following:
- Authelia is deployed to the
defaultnamespace. - AUthelia is deployed with a service named
autheliawhich translates port:80to the Authelia server port.
Scoped to Gateway
This is an example SecurityPolicy manifest adjusted to authenticate with Authelia which is scoped to a single
Gateway named eg.
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: 'authelia-extauthz-by-gateway'
spec:
targetRefs:
- group: 'gateway.networking.k8s.io'
kind: 'Gateway'
name: 'eg'
extAuth:
http:
backendRefs:
- name: 'authelia'
namespace: 'default'
port: 80
path: '/api/authz/ext-authz/'
failOpen: false
headersToExtAuth:
- 'accept'
- 'cookie'
- 'authorization'
- 'header-authorization'
- 'x-forwarded-proto'
headersToBackend:
- 'remote-*'
- 'authelia-*'Scoped to HTTP Route
This is an example SecurityPolicy manifest adjusted to authenticate with Authelia which is scoped to a single
HTTPRoute named example.
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: 'authelia-extauthz-by-route'
spec:
targetRefs:
- group: 'gateway.networking.k8s.io'
kind: 'HTTPRoute'
name: 'example'
extAuth:
http:
backendRefs:
- name: 'authelia'
namespace: 'default'
port: 80
path: '/api/authz/ext-authz/'
failOpen: false
headersToExtAuth:
- 'accept'
- 'cookie'
- 'authorization'
- 'header-authorization'
- 'x-forwarded-proto'
headersToBackend:
- 'remote-*'
- 'authelia-*'HTTP Route
The following HTTPRoute has the above SecurityPolicy applied to it for the
app.example.com domain:
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: 'example'
spec:
parentRefs:
- name: 'eg'
hostnames:
- 'app.example.com'
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: app
port: 80Reference Grant
If the Gateway is deployed to a namespace different to Authelia you may need to apply a Reference grant to permit this communication. The following example assumes the following:
- Authelia is deployed to the
defaultnamespace. - You have deployed the Scoped to Gateway Security Policy to the
egnamespace.
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: 'example-ref-authelia-svc'
namespace: 'default'
spec:
from:
- group: 'gateway.envoyproxy.io'
kind: 'SecurityPolicy'
namespace: 'eg'
name: 'authelia-extauthz-by-gateway'
to:
- group: ''
kind: 'Service'
name: 'authelia'See Also
- Envoy Gateway General Documentation
- Envoy Gateway External Authorization Security Tasks Documentation
- Envoy Gateway OIDC Authentication Security Tasks Documentation