Then I send curl to admin-api-dev service and expect full request path to be send to forwardAuth address like http://innsmouth.dev/api/extauth/my-path-here like it was in traefik@1.7.x
or maybe in header, no matter, however there is no request path at all, neither in forwardAuth address path, nor in header.
How can I get full request path? I kinda need it for permission model.
I don't know the answer, but I have the following comments:
You are saying what you are not seeing, but you are not saying what you are seeing, that would be extremely useful to those who can answer the question
You say "I send curl to admin-api-dev service". This is vague at best and an inference at worst curl is not aware about concept of a service be it kubernetes service or traefik service. What you probably wanted to say is that you are issuing a request with curl to such-and-such url and you are expected it to be routed to certain service. It would be good if you could say what you actually specified with curl
Your middle-ware reference in admin-api-dev Ingress route for cerberus-auth-api specify namespace staging, but in the middleware definition itself the namespace is omitted.
From what I understand the middleware is supposed to include the requiest URI with X-Forwarded-Uri header. If you specify trustForwardHeader: true and the request already has X-Forwarded-Uri header when it arrives it's not going to be replaced.
These all are pure speculation though, as you are not showing either your request or response along with the headers.
Hello, it looks like you are doing something wrong
I just checked a setup similar to your own and I'm getting X-Forwarded-Uri header just alright.
Here is a reproducible set up I used.
# Demo to prove X-Forwarded-Uri is passed by traefik
# Using devd to log incoming requests
# This will stand in for auth server.
# It won't do any auth, but at least we see what's being passed
# https://github.com/cortesi/devd
# https://github.com/thurt/docker-devd
# https://hub.docker.com/r/tahurt/docker-devd
apiVersion: apps/v1
kind: Deployment
metadata:
name: devd
labels:
app: devd
stamp: "1"
spec:
replicas: 1
selector:
matchLabels:
app: devd
template:
metadata:
labels:
app: devd
spec:
containers:
- name: devd
image: tahurt/docker-devd
args: ["-H","/static"]
ports:
- containerPort: 8000
# Expose devd
---
apiVersion: v1
kind: Service
metadata:
name: devd
spec:
selector:
app: devd
ports:
- name: web
port: 80
targetPort: 8000
# A stand-in service we are protecting with forwad Auth
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
app: whoami
stamp: "1"
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami
# Expose whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
selector:
app: whoami
ports:
- name: web
port: 80
targetPort: 80
# This is the ingress route for whoami for traefik
# We use fa middleware here
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: whoami
spec:
entryPoints:
- web
routes:
- kind: Rule
# make sure that this resoves to the traefik instance
match: Host(`fatest.internal`)
middlewares:
- name: fa
services:
- name: whoami
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: fa
spec:
forwardAuth:
# Note that we need correct namespace after `devd` here so that traefik container could resolve the name
address: http://devd.my-default-namespace
authResponseHeaders:
- "uber-trace-id"
- "x-flow-id"
- "x-request-id"
trustForwardHeader: true
fatest.internal here needs to resolve to the traefik instance which should be exposed on port 80 externally. The yaml does not specify a namespace so when you apply it with kubectl apply -f fa.yaml the objects are created in your default namespace. I used my-default-namespace for the name but you should change that to your own.
Now when you do curl http://fatest.internal/hello/world you see something similar to:
And when you run kubectl logs -l app=devd --tail=100, you'll see something like that:
20:50:08: GET /
X-Forwarded-Server: traefik-ingress-controller-sd49r
Accept-Encoding: gzip
Accept: */*
X-Forwarded-For: 10.20.1.16
X-Forwarded-Method: GET
X-Forwarded-Port: 80
X-Forwarded-Uri: /hello/world
X-Real-Ip: 10.20.1.16
User-Agent: curl/7.55.1
X-Forwarded-Host: fatest.internal
X-Forwarded-Proto: http
<- 200 OK 141 B
Last-Modified: Wed, 17 Jan 2018 22:15:21 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 141
Note how this includes X-Forwarded-Uri.
I believe that your problem is not with traefik. I suggest trying my configuration, making sure that you could reproduce my result and than trying step-by-step bridging the gap between your example and mine (from either side). Hopefully the case of disappearing header could be solved this way. Good luck!
curl is not aware about concept of a service be it kubernetes service or traefik service. What you probably wanted to say is that you are issuing a request with curl to such-and-such url and you are expected it to be routed to certain service. It would be good if you could say what you actually specified with curl