Multi-layer routing

Co-authored-by: Romain <rtribotte@users.noreply.github.com>

integration/fixtures/k8s/01-traefik-crd.yml

@@ -48,6 +48,26 @@ spec:
                 items:
                   type: string
                 type: array
+              parentRefs:
+                description: |-
+                  ParentRefs defines references to parent IngressRoute resources for multi-layer routing.
+                  When set, this IngressRoute's routers will be children of the referenced parent IngressRoute's routers.
+                  More info: https://doc.traefik.io/traefik/v3.5/routing/routers/#parentrefs
+                items:
+                  description: IngressRouteRef is a reference to an IngressRoute resource.
+                  properties:
+                    name:
+                      description: Name defines the name of the referenced IngressRoute
+                        resource.
+                      type: string
+                    namespace:
+                      description: Namespace defines the namespace of the referenced
+                        IngressRoute resource.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
               routes:
                 description: Routes defines the list of routes.
                 items:

integration/fixtures/routing/multi_layer_auth.toml

@@ -0,0 +1,51 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## Dynamic Configuration ##
+
+[http.middlewares]
+  [http.middlewares.auth-middleware.forwardAuth]
+    address = "http://127.0.0.1:{{ .AuthPort }}/auth"
+    authResponseHeaders = ["X-User-Role", "X-User-Name"]
+
+[http.services]
+  [http.services.admin-service.loadBalancer]
+    [[http.services.admin-service.loadBalancer.servers]]
+      url = "http://{{ .AdminIP }}:80"
+
+  [http.services.developer-service.loadBalancer]
+    [[http.services.developer-service.loadBalancer.servers]]
+      url = "http://{{ .DeveloperIP }}:80"
+
+[http.routers]
+  # Parent router: matches path, applies auth middleware
+  [http.routers.parent-router]
+    rule = "PathPrefix(`/whoami`)"
+    middlewares = ["auth-middleware"]
+
+  # Child router for admin role
+  [http.routers.admin-router]
+    rule = "Header(`X-User-Role`, `admin`)"
+    service = "admin-service"
+    parentRefs = ["parent-router@file"]
+
+  # Child router for developer role
+  [http.routers.developer-router]
+    rule = "Header(`X-User-Role`, `developer`)"
+    service = "developer-service"
+    parentRefs = ["parent-router@file"]

integration/resources/compose/routing.yml

@@ -0,0 +1,8 @@
+services:
+  whoami-admin:
+    image: traefik/whoami
+    hostname: whoami-admin
+
+  whoami-developer:
+    image: traefik/whoami
+    hostname: whoami-developer

integration/routing_test.go

@@ -0,0 +1,154 @@
+package integration
+
+import (
+	"net"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/suite"
+	"github.com/traefik/traefik/v3/integration/try"
+)
+
+// RoutingSuite tests multi-layer routing with authentication middleware.
+type RoutingSuite struct{ BaseSuite }
+
+func TestRoutingSuite(t *testing.T) {
+	suite.Run(t, new(RoutingSuite))
+}
+
+func (s *RoutingSuite) SetupSuite() {
+	s.BaseSuite.SetupSuite()
+
+	s.createComposeProject("routing")
+	s.composeUp()
+}
+
+func (s *RoutingSuite) TearDownSuite() {
+	s.BaseSuite.TearDownSuite()
+}
+
+// authHandler implements the ForwardAuth protocol.
+// It validates Bearer tokens and adds X-User-Role and X-User-Name headers.
+func authHandler(w http.ResponseWriter, r *http.Request) {
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	if !strings.HasPrefix(authHeader, "Bearer ") {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	token := strings.TrimPrefix(authHeader, "Bearer ")
+	role, username, ok := getUserByToken(token)
+	if !ok {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	// Set headers that will be forwarded by Traefik
+	w.Header().Set("X-User-Role", role)
+	w.Header().Set("X-User-Name", username)
+	w.WriteHeader(http.StatusOK)
+}
+
+// getUserByToken returns the role and username for a given token.
+func getUserByToken(token string) (role, username string, ok bool) {
+	users := map[string]struct {
+		role     string
+		username string
+	}{
+		"bob-token":   {role: "admin", username: "bob"},
+		"jack-token":  {role: "developer", username: "jack"},
+		"alice-token": {role: "guest", username: "alice"},
+	}
+
+	u, exists := users[token]
+	return u.role, u.username, exists
+}
+
+// TestMultiLayerRoutingWithAuth tests the complete multi layer routing scenario:
+// - Parent router matches path and applies authentication middleware
+// - Auth middleware validates token and adds role header
+// - Child routers route based on the role header added by the middleware
+func (s *RoutingSuite) TestMultiLayerRoutingWithAuth() {
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(s.T(), err)
+	defer listener.Close()
+
+	_, authPort, err := net.SplitHostPort(listener.Addr().String())
+	require.NoError(s.T(), err)
+
+	go func() {
+		_ = http.Serve(listener, http.HandlerFunc(authHandler))
+	}()
+
+	adminIP := s.getComposeServiceIP("whoami-admin")
+	require.NotEmpty(s.T(), adminIP)
+
+	developerIP := s.getComposeServiceIP("whoami-developer")
+	require.NotEmpty(s.T(), developerIP)
+
+	file := s.adaptFile("fixtures/routing/multi_layer_auth.toml", struct {
+		AuthPort    string
+		AdminIP     string
+		DeveloperIP string
+	}{
+		AuthPort:    authPort,
+		AdminIP:     adminIP,
+		DeveloperIP: developerIP,
+	})
+
+	s.traefikCmd(withConfigFile(file))
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 2*time.Second, try.BodyContains("parent-router"))
+	require.NoError(s.T(), err)
+
+	// Test 1: bob (admin role) routes to admin-service
+	req, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
+	require.NoError(s.T(), err)
+	req.Header.Set("Authorization", "Bearer bob-token")
+
+	err = try.Request(req, 2*time.Second,
+		try.StatusCodeIs(http.StatusOK),
+		try.BodyContains("whoami-admin"))
+	require.NoError(s.T(), err)
+
+	// Test 2: jack (developer role) routes to developer-service
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
+	require.NoError(s.T(), err)
+	req.Header.Set("Authorization", "Bearer jack-token")
+
+	err = try.Request(req, 2*time.Second,
+		try.StatusCodeIs(http.StatusOK),
+		try.BodyContains("whoami-developer"))
+	require.NoError(s.T(), err)
+
+	// Test 3: Invalid token returns 401
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
+	require.NoError(s.T(), err)
+	req.Header.Set("Authorization", "Bearer invalid-token")
+
+	err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusUnauthorized))
+	require.NoError(s.T(), err)
+
+	// Test 4: Missing token returns 401
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
+	require.NoError(s.T(), err)
+
+	err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusUnauthorized))
+	require.NoError(s.T(), err)
+
+	// Test 5: Valid auth but role has no matching child router returns 404
+	req, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8000/whoami", nil)
+	require.NoError(s.T(), err)
+	req.Header.Set("Authorization", "Bearer alice-token")
+
+	err = try.Request(req, 2*time.Second, try.StatusCodeIs(http.StatusNotFound))
+	require.NoError(s.T(), err)
+}