providers/proxy: revert to static list of forwarded headers
wildcard is not usable for this since the regular expression doesn't support negative lookahead, meaning we would always forward all headers, including Connection and others closes #1969 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
f10b57ba0b
commit
8a60a7e26f
|
@ -92,8 +92,6 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
|
||||||
# Buffer sizes for large headers with JWTs
|
# Buffer sizes for large headers with JWTs
|
||||||
"nginx.ingress.kubernetes.io/proxy-buffers-number": "4",
|
"nginx.ingress.kubernetes.io/proxy-buffers-number": "4",
|
||||||
"nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
|
"nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
|
||||||
# Ensure ingress can receive TLS traffic
|
|
||||||
"traefik.ingress.kubernetes.io/router.tls": "true",
|
|
||||||
}
|
}
|
||||||
annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations)
|
annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations)
|
||||||
return annotations
|
return annotations
|
||||||
|
|
|
@ -101,6 +101,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
|
||||||
!= reference.spec.forwardAuth.authResponseHeadersRegex
|
!= reference.spec.forwardAuth.authResponseHeadersRegex
|
||||||
):
|
):
|
||||||
raise NeedsUpdate()
|
raise NeedsUpdate()
|
||||||
|
# Ensure all of our headers are set, others can be added by the user.
|
||||||
|
if not set(current.spec.forwardAuth.authResponseHeaders).issubset(
|
||||||
|
reference.spec.forwardAuth.authResponseHeaders
|
||||||
|
):
|
||||||
|
raise NeedsUpdate()
|
||||||
|
|
||||||
def get_reference_object(self) -> TraefikMiddleware:
|
def get_reference_object(self) -> TraefikMiddleware:
|
||||||
"""Get deployment object for outpost"""
|
"""Get deployment object for outpost"""
|
||||||
|
@ -115,8 +120,27 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
|
||||||
spec=TraefikMiddlewareSpec(
|
spec=TraefikMiddlewareSpec(
|
||||||
forwardAuth=TraefikMiddlewareSpecForwardAuth(
|
forwardAuth=TraefikMiddlewareSpecForwardAuth(
|
||||||
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
|
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
|
||||||
authResponseHeaders=[],
|
authResponseHeaders=[
|
||||||
authResponseHeadersRegex="^(Auth|Remote|X|Set).*$",
|
# Legacy headers, remove after 2022.1
|
||||||
|
"X-Auth-Username",
|
||||||
|
"X-Auth-Groups",
|
||||||
|
"X-Forwarded-Email",
|
||||||
|
"X-Forwarded-Preferred-Username",
|
||||||
|
"X-Forwarded-User",
|
||||||
|
# New headers, unique prefix
|
||||||
|
"X-authentik-username",
|
||||||
|
"X-authentik-groups",
|
||||||
|
"X-authentik-email",
|
||||||
|
"X-authentik-name",
|
||||||
|
"X-authentik-uid",
|
||||||
|
"X-authentik-jwt",
|
||||||
|
"X-authentik-meta-jwks",
|
||||||
|
"X-authentik-meta-outpost",
|
||||||
|
"X-authentik-meta-provider",
|
||||||
|
"X-authentik-meta-app",
|
||||||
|
"X-authentik-meta-version",
|
||||||
|
],
|
||||||
|
authResponseHeadersRegex="",
|
||||||
trustForwardHeader=True,
|
trustForwardHeader=True,
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
|
|
Reference in New Issue