Hi, I'm containerizing an application to be deployed in Kubernetes and I need a basicauth for a single path prefix, currently I have the following Ingress configuration:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: service-auth
spec:
basicAuth:
secret: service-auth
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: service
namespace: default
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/frontend-entry-points: http, https
traefik.ingress.kubernetes.io/redirect-entry-point: https
spec:
tls:
- hosts:
- fqdn
secretName: fqdn-tls
rules:
- host: fqdn
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: service
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: service-auth
namespace: default
annotations:
kubernetes.io/ingress.class: "traefik"
cert-manager.io/issuer: "letsencrypt-prod"
traefik.ingress.kubernetes.io/frontend-entry-points: http, https
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/router.middlewares: default-service-auth@kubernetescrd
spec:
tls:
- hosts:
- fqdn
secretName: fqdn-tls
rules:
- host: fqdn
http:
paths:
- path: /admin/
pathType: Prefix
backend:
service:
name: service
port:
name: http
This seems to be working, but I just want to make sure - can I rely on the /admin/ prefix to be always picked up by the second ingress or is there a chance that it will be picked up by the ingress with / prefix and thus displayed without basicauth? Basically - does Traefik choose the first ingress match or does it choose the ingress with longest path prefix match?