Hey everyone! I'm a junior developer working on a personal project with K3s on a homeserver. I've got the basics down with ArgoCD and K3s, but now I'm hitting a wall trying to figure out how to implement user authentication and authorization. I definitely want to use Keycloak along with OAuth and OpenID, but I'm overwhelmed with all the options out there. I prefer open-source solutions over paid ones, particularly anything that's not limited to a free tier.
One thing that stood out to me is how Traefik manages TLS certs for HTTPS, so I'd like to keep that in my setup. I considered using Spring Cloud Gateway for handling auth, but it feels redundant since Traefik can manage ingress and reverse proxy. I've looked into several options, including Kong, Ambassador, Contour, apisix, and Tyk, but it's hard to grasp the differences. Currently, I'm leaning towards apisix simply because I've heard of Apache, but I'm open to suggestions. Any insights would be greatly appreciated!
4 Answers
I've set up Traefik with oauth2-proxy and Keycloak myself. It can get a bit complex, but once it's operational, it's free and effective. With Traefik, the forwardAuth middleware initiates a request where oauth2-proxy checks the user's credentials, which then talks to Keycloak. Just a heads up, this setup may limit the information available to your backend services, making detailed access control a bit trickier.
Kong IC paired with Keycloak has been my choice. It provides a handy way to manage authorization in my applications.
I went a similar route using oauth2-proxy, Dex, and Traefik with forward auth. It definitely requires some reading, especially with Helm charts. I found some good resources if you're open to diving into the specifics. It's a feasible setup for K3s as well.
As an APISIX maintainer, I'm excited to discuss our upcoming Ingress Controller! We’re developing new features that should help with your needs. If you have specific questions about integrating it with your K3s setup, feel free to ask! Check out our roadmap too for future developments.
Sounds intriguing! I’d love to know if APISIX could suit my requirements and how difficult it would be to transition from my current Traefik setup.
That’s a good point! So you're saying the services interacting through this setup might not have full access to the request data?