use ictsc/traefik-forward-auth

manifest/infrastructure/forward-auth/chart/templates/deployment.yaml

@@ -13,7 +13,7 @@ spec:
     spec:
       containers:
         - name: forward-auth
-          image: thomseddon/traefik-forward-auth:latest
+          image: ghcr.io/ictsc/traefik-forward-auth:latest
           ports:
             - containerPort: 4181
           args:
@@ -23,6 +23,12 @@ spec:
             - --default-provider=oidc
             - --providers.oidc.issuer-url={{ required "A valid issuer is required." .Values.issuer }}
             - --providers.oidc.client-id=dex-client
+{{- if .Values.skipJwtBearerTokens }}
+            - --skip-jwt-bearer-tokens=true
+{{- end }}
+{{- if .Values.tokenPropagation }}
+            - --token-propagation=bearer
+{{- end }}
           env:
             - name: PROVIDERS_OIDC_CLIENT_SECRET
               valueFrom:

manifest/infrastructure/forward-auth/chart/templates/middleware.yaml

@@ -5,5 +5,7 @@ metadata:
 spec:
   forwardAuth:
     address: http://{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local:4181
+{{- if .Values.tokenPropagation }}
     authResponseHeaders:
-      - X-Forwarded-User
+      - Authorization
+{{- end }}

manifest/infrastructure/forward-auth/chart/values.yaml

@@ -6,3 +6,7 @@
 issuer:
 # (required) クッキーを発行したいドメインを配列で指定
 domains:
+# IDトークンをBearerに伝播させるか
+tokenPropagation: false
+# Bearerトークンがあった時、クッキーの検証をスキップするか
+skipJwtBearerTokens: false

manifest/infrastructure/forward-auth/env/dev/forward-auth.yaml

@@ -2,3 +2,4 @@ issuer: https://dex.drove-dev.ictsc.net
 domains:
   - drove-dev.ictsc.net
   - contest-dev.ictsc.net
+tokenPropagation: true

manifest/infrastructure/forward-auth/env/prod/forward-auth.yaml

@@ -1,3 +1,4 @@
 issuer: https://dex.drove.ictsc.net
 domains:
   - drove.ictsc.net
+tokenPropagation: true