sargx digital garden

gRPC + Forwardauth

1 min read

Docker Compose

Adapted from:

https://github.com/xsephiroth/docker-traefik-grpc-insecure-tls-example

Docker compose:

version: "3"
 
services:
  # server is always insecure
  grpc-server:
    build: server
    labels:
      # use h2c protocol
      - traefik.protocol=h2c
      # server port
      - traefik.port=8000
      # traefik log
      # "POST /proxy.TraefikGRPCProxy/ProxyMe HTTP/2.0" 200 66 "-" "grpc-go/1.22.1" 1 "PathPrefix-proxy-TraefikGRPCProxy-0" "h2c://172.25.0.3:8000" 2ms
      - traefik.http.routers.grpc-server.rule=PathPrefix(`/proxy.TraefikGRPCProxy`)
      - traefik.http.services.grpc-server.loadbalancer.server.port=8000
      - traefik.http.services.grpc-server.loadbalancer.server.scheme=h2c
      - traefik.http.routers.grpc-server.middlewares=auth-jwt
      - traefik.http.middlewares.auth-jwt.forwardauth.address=http://<auth_service_ip>:7050/validate
 
  # client is insecure
  client:
    build: client
    depends_on:
      - traefikproxy
      - grpc-server
    command: ./client -server traefikproxy:81
 
  # traefikproxy reverse proxy client http2 request to server
  traefikproxy:
    image: traefik:v2.10
    ports:
      - "80:80"
      - "8080:8080"
      - "81:81"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    command: >
      --entrypoints.web.address=:81
      --providers.docker=true
      --api.insecure=true

Makefile

all: client server certs
 
.PHONY: client
client:
	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o client/client client/client.go
 
.PHONY: server
server:
	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o server/server server/server.go
 
# Common Name (e.g. server FQDN or YOUR name) []: test.com
# .PHONY: certs
# certs:
# 	openssl req -x509 -nodes -newkey rsa:2048 -keyout certs/srv.key -out certs/srv.pem

Kubernetes using ConfigMap

https://github.com/imans777/traefik-lb-grpc-k8s

https://doc.traefik.io/traefik/reference/dynamic-configuration/file/

dynamic.yaml

apiVersion: v1
data:
  dynamic-configs.toml: |
    [http]
      [http.routers]
          [http.routers.echo_service_headless]
          entryPoints = ['web']
          middlewares = ["test-auth"]
          rule = "PathPrefix(`/echo.`)"
          service = "echo_service"
    [http.services]
        [http.services.echo_service]
            [http.services.echo_service.loadBalancer]
                [[http.services.echo_service.loadBalancer.servers]]
                url =  "h2c://echo:50051"
    [http.middlewares]
        [http.middlewares.test-auth]
            [http.middlewares.test-auth.forwardAuth]
                address = "http://horus-auth-jwt.default.svc.cluster.local:8081/validate"
kind: ConfigMap
metadata:
  name: dynamic-config

🌱 Back to Garden

Graph View

Backlinks