Development DevOps

Setting Up Traefik Proxy on k3s with Forward Auth using Authorization Header Part 1

In this tutorial, you will learn how to set up Traefik proxy on k3s with forward authentication using the Authorization header. We will deploy a sample application to Kubernetes and implement the callback URL on a Node.js Express app to handle the authentication response from GitHub. This tutorial will help you add an extra layer of security to your applications and ensure that only authorized users can access them.

Traefik is a popular open-source reverse proxy and load balancer that can be used as an ingress controller in Kubernetes. It has many advanced features, including support for multiple protocols, load balancing algorithms, and dynamic configuration. One of the most useful features of Traefik is its support for forward authentication, which allows you to delegate authentication to an external provider.

In this tutorial, we will set up Traefik on k3s and use it as an ingress controller to protect a web application with forward auth. We will use the Authorization header to pass authentication information to Traefik, and we will implement a simple Node.js Express app to handle the callback from the authentication provider.


To follow along with this tutorial, you will need:

  • A Kubernetes cluster running k3s
  • The kubectl command-line tool installed on your local machine
  • A domain name pointing to your Kubernetes cluster
  • A GitHub account and OAuth app

Step 1: Set up Traefik

The first step is to install and configure Traefik in our Kubernetes cluster. We will use the official Traefik Helm chart to install Traefik.

First, add the Traefik Helm repository:

helm repo add traefik

Then, create a values file with the following contents:

# values.yaml
  - --entrypoints.web.address=:80
  - --entrypoints.websecure.address=:443
  - --providers.kubernetesingress
  - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
  - --certificatesresolvers.myresolver.acme.tlschallenge=true
  - --ping.entrypoint=web
  - --log.level=DEBUG

In this values file, we have specified the following:

  • We will use the Kubernetes Ingress provider to configure Traefik as an ingress controller
  • We will use Let’s Encrypt to automatically obtain SSL/TLS certificates for our domains
  • We will use HTTP challenge to obtain certificates
  • We have specified that the web entrypoint is listening on ports 80 and 443
  • We have specified the email address to use for Let’s Encrypt registration
  • We have set the log level to DEBUG for troubleshooting purposes

Next, install Traefik using the following command:

helm install traefik traefik/traefik -f values.yaml

This will install Traefik in the default namespace with the name traefik.

Step 2: Set up the OAuth App

The next step is to create a new OAuth app on GitHub, which we will use as our authentication provider. Here’s how:

  1. Go to your GitHub account settings and click on Developer settings.
  2. Click on OAuth Apps and then New OAuth App.
  3. Fill in the required fields:
    • Application Name: A name for your app
    • Homepage URL: The URL of your app (e.g.,
    • Authorization callback URL: The URL where your app will handle the OAuth callback (e.g.,
  4. Click Register Application to create the app.

Make a note of the Client ID and Client Secret values, as we will need them later.

Step 3: Create the Node.js Express App

We will now create a simple Node.js Express app that will handle the OAuth callback from GitHub. Here’s how:

  1. Create a new directory for your app:
mkdir myapp
cd myapp
  1. Initialize a new Node.js project and install the required dependencies:
npm init -y
npm install express dotenv
  1. Create a new file called app.js with the following contents:
const express = require('express')
const dotenv = require('dotenv')
const app = express()

// Load environment variables

// Handle OAuth callback
app.get('/auth/github/callback', (req, res) => {
  const code = req.query.code
  const state = req.query.state

  // TODO: Exchange code for access token
  // TODO: Verify access token and extract user information
  // TODO: Set authentication cookie and redirect to original URL

// Start server
const port = process.env.PORT || 3000
app.listen(port, () => {
  console.log(`Server listening on port ${port}`)

In this file, we have created a simple Express app that listens for GET requests on the /auth/github/callback URL. We will use this URL to handle the OAuth callback from GitHub.

We have also loaded environment variables using the dotenv package. You should create a .env file in the root directory of your app and set the following environment variables:


Replace the placeholders with your actual values. You can obtain the CLIENT_ID and CLIENT_SECRET values from the OAuth app you created earlier. The REDIRECT_URI should be the same as the Authorization callback URL you specified earlier.

Finally, we have started the server on port 3000 (or the value of the PORT environment variable, if set).

To be continued… Part 2.

By Edward Fitz Abucay

"How long is forever?"

I'm a software engineer with a passion for innovating and creating products, especially for startups in the web3 and blockchain space. I'm always excited to learn and work with new technologies, and I'm committed to delivering high-quality solutions that meet the needs of my clients or users.

In my free time, I enjoy listening to music of all genres, but classical music holds a special place in my heart. I find it both inspiring and calming, and it helps me to stay focused and creative. I'm also an avid reader of books and manga, and I enjoy discovering new authors and stories.

As a software engineer, I have a strong technical background with experience in various programming languages, frameworks, and tools. I'm always striving to improve my skills and stay up-to-date with the latest trends and best practices. I love working with startups, especially those in the web3 and blockchain space, because I believe that these technologies have the potential to revolutionize the way we live and work.

Overall, I'm a dedicated and driven individual with a wide range of interests and skills. I believe that my passion for software engineering, combined with my love of music and reading, makes me a well-rounded and adaptable professional.

Leave a Reply

Your email address will not be published. Required fields are marked *