diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml index eeb742b5f..997eaad37 100644 --- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml +++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml @@ -1238,6 +1238,11 @@ spec: description: ForwardBody defines whether to send the request body to the authentication server. type: boolean + headerField: + description: |- + HeaderField defines a header field to store the authenticated user. + More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield + type: string maxBodySize: description: MaxBodySize defines the maximum body size in bytes allowed to be forwarded to the authentication server. diff --git a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml index 01da1ba2a..ef4a301f6 100644 --- a/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml +++ b/docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml @@ -496,6 +496,11 @@ spec: description: ForwardBody defines whether to send the request body to the authentication server. type: boolean + headerField: + description: |- + HeaderField defines a header field to store the authenticated user. + More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield + type: string maxBodySize: description: MaxBodySize defines the maximum body size in bytes allowed to be forwarded to the authentication server. diff --git a/integration/fixtures/k8s/01-traefik-crd.yml b/integration/fixtures/k8s/01-traefik-crd.yml index eeb742b5f..997eaad37 100644 --- a/integration/fixtures/k8s/01-traefik-crd.yml +++ b/integration/fixtures/k8s/01-traefik-crd.yml @@ -1238,6 +1238,11 @@ spec: description: ForwardBody defines whether to send the request body to the authentication server. type: boolean + headerField: + description: |- + HeaderField defines a header field to store the authenticated user. + More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield + type: string maxBodySize: description: MaxBodySize defines the maximum body size in bytes allowed to be forwarded to the authentication server. diff --git a/pkg/config/dynamic/middlewares.go b/pkg/config/dynamic/middlewares.go index 319ffcbd1..87a464e6c 100644 --- a/pkg/config/dynamic/middlewares.go +++ b/pkg/config/dynamic/middlewares.go @@ -252,7 +252,7 @@ type ForwardAuth struct { // AddAuthCookiesToResponse defines the list of cookies to copy from the authentication server response to the response. AddAuthCookiesToResponse []string `json:"addAuthCookiesToResponse,omitempty" toml:"addAuthCookiesToResponse,omitempty" yaml:"addAuthCookiesToResponse,omitempty" export:"true"` // HeaderField defines a header field to store the authenticated user. - // More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#headerfield + // More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"` // ForwardBody defines whether to send the request body to the authentication server. ForwardBody bool `json:"forwardBody,omitempty" toml:"forwardBody,omitempty" yaml:"forwardBody,omitempty" export:"true"` diff --git a/pkg/provider/kubernetes/crd/fixtures/with_auth.yml b/pkg/provider/kubernetes/crd/fixtures/with_auth.yml index 6da695b12..16d167e6c 100644 --- a/pkg/provider/kubernetes/crd/fixtures/with_auth.yml +++ b/pkg/provider/kubernetes/crd/fixtures/with_auth.yml @@ -60,6 +60,7 @@ metadata: spec: forwardAuth: address: test.com + headerField: X-Header-Field tls: certSecret: tlssecret caSecret: casecret diff --git a/pkg/provider/kubernetes/crd/kubernetes.go b/pkg/provider/kubernetes/crd/kubernetes.go index 7f004d809..c0f4a2a67 100644 --- a/pkg/provider/kubernetes/crd/kubernetes.go +++ b/pkg/provider/kubernetes/crd/kubernetes.go @@ -789,6 +789,7 @@ func createForwardAuthMiddleware(k8sClient Client, namespace string, auth *traef AuthResponseHeadersRegex: auth.AuthResponseHeadersRegex, AuthRequestHeaders: auth.AuthRequestHeaders, AddAuthCookiesToResponse: auth.AddAuthCookiesToResponse, + HeaderField: auth.HeaderField, ForwardBody: auth.ForwardBody, PreserveLocationHeader: auth.PreserveLocationHeader, } diff --git a/pkg/provider/kubernetes/crd/kubernetes_test.go b/pkg/provider/kubernetes/crd/kubernetes_test.go index 897a2e189..2b96ac965 100644 --- a/pkg/provider/kubernetes/crd/kubernetes_test.go +++ b/pkg/provider/kubernetes/crd/kubernetes_test.go @@ -3961,6 +3961,7 @@ func TestLoadIngressRoutes(t *testing.T) { ForwardAuth: &dynamic.ForwardAuth{ Address: "test.com", MaxBodySize: pointer(int64(-1)), + HeaderField: "X-Header-Field", TLS: &dynamic.ClientTLS{ CA: "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----", Cert: "-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----", diff --git a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go index b2c9a9097..f4a0b570b 100644 --- a/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go +++ b/pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go @@ -161,6 +161,9 @@ type ForwardAuth struct { TLS *ClientTLS `json:"tls,omitempty"` // AddAuthCookiesToResponse defines the list of cookies to copy from the authentication server response to the response. AddAuthCookiesToResponse []string `json:"addAuthCookiesToResponse,omitempty"` + // HeaderField defines a header field to store the authenticated user. + // More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield + HeaderField string `json:"headerField,omitempty"` // ForwardBody defines whether to send the request body to the authentication server. ForwardBody bool `json:"forwardBody,omitempty"` // MaxBodySize defines the maximum body size in bytes allowed to be forwarded to the authentication server.