Traefik Proxy - multi-tenancy configuration

Hi all.

I have the following configuration on AWS.

ALB Ingress Controller → Traefik Ingress Controller (NodePort)

I am using the ForwardAuth middleware to authenticate/validate the resulting token and setting it as a tenant identifier header X-Tenant-Id. So far so good.

I have a namespace per tenant corresponding to the header value.

Each tenant can/will have arbitrarily mapped services (e.g., tenant-1 may have /projects/test/1 and tenant-2 may have /my-apps)

I'd like each tenant to be encapsulated and to that end the IngressRoute seems correct.

My issue in this is it's quite verbose and error prone.

For example:

kind: IngressRoute
  name: org1
  namespace: org1
  - web
  - kind: Rule
    match: Host(``) && Header(`x-tenant-id`, `org1`) && PathPrefix(`/app1`)
      - name: app1
        port: 80
  - kind: Rule
    match: Host(``) && Header(`x-tenant-id`, `org1`) &&  && Path(`/app2`)
      - name: app2
        port: 80

I'd like to reduce the verbosity of the match rules.

I have come up with a few strategies to mitigate this but would like feedback.

  1. Template the IngressRoute and deal with the verbosity by automation
  2. Write a middleware that puts the tenant id on a path and use an Ingress per tenant
  3. Use an IngressRoute per tenant and only one match rule with all services under this one match.
  4. Write some middleware to possibly forward the request more specifically (e.g., to the internal namespace service directly app1.org1.svc.cluster.local)

#1 Feels like a workaround.
#2 This gets me closer, but I still need to prefix the tenant identifier before each path
#3 Very error prone as the app developers now need to serve under known paths and I'm not exactly sure of how ambiguous or duplicated routes work in this scenario.
#4 Feels like I'm side-stepping Traefik and will ultimately write some DSL for the mapping

Ideally, I'd have a single IngressRoute with a top-level match rule for the tenant and then the ability to do path specifics per service, but this does not exist and all of this leads me to believe I'm going about this in the wrong / unintended manner.

Assume ~100 tenants and ~10 services per tenant.

What are others doing in this scenario?