From b248f450ddc9e9743a7e7e34376902c997c93984 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 26 Sep 2021 12:00:51 +0200 Subject: [PATCH] outposts: make AUTHENTIK_HOST_BROWSER configurable from central config closes #1471 Signed-off-by: Jens Langhammer --- authentik/outposts/controllers/docker.py | 2 ++ authentik/outposts/controllers/k8s/deployment.py | 9 +++++++++ authentik/outposts/controllers/k8s/secret.py | 5 ++++- authentik/outposts/models.py | 1 + internal/outpost/proxyv2/application/endpoint.go | 2 +- website/docs/outposts/outposts.md | 2 ++ 6 files changed, 19 insertions(+), 2 deletions(-) diff --git a/authentik/outposts/controllers/docker.py b/authentik/outposts/controllers/docker.py index 51f3ce889..03eca20f4 100644 --- a/authentik/outposts/controllers/docker.py +++ b/authentik/outposts/controllers/docker.py @@ -38,6 +38,7 @@ class DockerController(BaseController): "AUTHENTIK_HOST": self.outpost.config.authentik_host.lower(), "AUTHENTIK_INSECURE": str(self.outpost.config.authentik_host_insecure).lower(), "AUTHENTIK_TOKEN": self.outpost.token.key, + "AUTHENTIK_HOST_BROWSER": self.outpost.config.authentik_host_browser, } def _comp_env(self, container: Container) -> bool: @@ -215,6 +216,7 @@ class DockerController(BaseController): "AUTHENTIK_HOST": self.outpost.config.authentik_host, "AUTHENTIK_INSECURE": str(self.outpost.config.authentik_host_insecure), "AUTHENTIK_TOKEN": self.outpost.token.key, + "AUTHENTIK_HOST_BROWSER": self.outpost.config.authentik_host_browser, }, "labels": self._get_labels(), } diff --git a/authentik/outposts/controllers/k8s/deployment.py b/authentik/outposts/controllers/k8s/deployment.py index f9abacd2a..9c9aefc70 100644 --- a/authentik/outposts/controllers/k8s/deployment.py +++ b/authentik/outposts/controllers/k8s/deployment.py @@ -89,6 +89,15 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]): ) ), ), + V1EnvVar( + name="AUTHENTIK_HOST_BROWSER", + value_from=V1EnvVarSource( + secret_key_ref=V1SecretKeySelector( + name=self.name, + key="authentik_host_browser", + ) + ), + ), V1EnvVar( name="AUTHENTIK_TOKEN", value_from=V1EnvVarSource( diff --git a/authentik/outposts/controllers/k8s/secret.py b/authentik/outposts/controllers/k8s/secret.py index f15047f6b..d7cb8c03c 100644 --- a/authentik/outposts/controllers/k8s/secret.py +++ b/authentik/outposts/controllers/k8s/secret.py @@ -26,7 +26,7 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]): def reconcile(self, current: V1Secret, reference: V1Secret): super().reconcile(current, reference) for key in reference.data.keys(): - if current.data[key] != reference.data[key]: + if key not in current.data or current.data[key] != reference.data[key]: raise NeedsUpdate() def get_reference_object(self) -> V1Secret: @@ -40,6 +40,9 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]): str(self.controller.outpost.config.authentik_host_insecure) ), "token": b64string(self.controller.outpost.token.key), + "authentik_host_browser": b64string( + self.controller.outpost.config.authentik_host_browser + ), }, ) diff --git a/authentik/outposts/models.py b/authentik/outposts/models.py index 851b52472..ff8116a71 100644 --- a/authentik/outposts/models.py +++ b/authentik/outposts/models.py @@ -64,6 +64,7 @@ class OutpostConfig: authentik_host: str = "" authentik_host_insecure: bool = False + authentik_host_browser: str = "" log_level: str = CONFIG.y("log_level") error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled") diff --git a/internal/outpost/proxyv2/application/endpoint.go b/internal/outpost/proxyv2/application/endpoint.go index e11c4e031..37a164db3 100644 --- a/internal/outpost/proxyv2/application/endpoint.go +++ b/internal/outpost/proxyv2/application/endpoint.go @@ -18,7 +18,7 @@ type OIDCEndpoint struct { func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint { authUrl := p.OidcConfiguration.AuthorizationEndpoint endUrl := p.OidcConfiguration.EndSessionEndpoint - if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found { + if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" { host := os.Getenv("AUTHENTIK_HOST") authUrl = strings.ReplaceAll(authUrl, host, browserHost) endUrl = strings.ReplaceAll(endUrl, host, browserHost) diff --git a/website/docs/outposts/outposts.md b/website/docs/outposts/outposts.md index 5b113f38a..dda6f76a6 100644 --- a/website/docs/outposts/outposts.md +++ b/website/docs/outposts/outposts.md @@ -37,6 +37,8 @@ error_reporting_environment: beryjuorg-prod authentik_host: https://authentik.tld/ # Disable SSL Validation for the authentik connection authentik_host_insecure: false +# Optionally specify a different URL used for user-facing interactions +authentik_host_browser: # Template used for objects created (deployments, services, secrets, etc) object_naming_template: ak-outpost-%(name)s ########################################