providers/proxy: don't create ingress for domains which use forwardAuth, don't create ingress at all if all providers are forward auth
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
3f8cd7ff13
commit
be8b2bf6f6
|
@ -29,6 +29,11 @@ class NeedsUpdate(ReconcileTrigger):
|
||||||
"""Exception to trigger an update to the Kubernetes Object"""
|
"""Exception to trigger an update to the Kubernetes Object"""
|
||||||
|
|
||||||
|
|
||||||
|
class Disabled(SentryIgnoredException):
|
||||||
|
"""Exception which can be thrown in a reconciler to signal than an
|
||||||
|
object should not be created."""
|
||||||
|
|
||||||
|
|
||||||
class KubernetesObjectReconciler(Generic[T]):
|
class KubernetesObjectReconciler(Generic[T]):
|
||||||
"""Base Kubernetes Reconciler, handles the basic logic."""
|
"""Base Kubernetes Reconciler, handles the basic logic."""
|
||||||
|
|
||||||
|
@ -50,7 +55,11 @@ class KubernetesObjectReconciler(Generic[T]):
|
||||||
def up(self):
|
def up(self):
|
||||||
"""Create object if it doesn't exist, update if needed or recreate if needed."""
|
"""Create object if it doesn't exist, update if needed or recreate if needed."""
|
||||||
current = None
|
current = None
|
||||||
|
try:
|
||||||
reference = self.get_reference_object()
|
reference = self.get_reference_object()
|
||||||
|
except Disabled:
|
||||||
|
self.logger.debug("Object not required")
|
||||||
|
return
|
||||||
try:
|
try:
|
||||||
try:
|
try:
|
||||||
current = self.retrieve()
|
current = self.retrieve()
|
||||||
|
|
|
@ -17,6 +17,7 @@ from kubernetes.client.models.networking_v1beta1_ingress_rule import (
|
||||||
|
|
||||||
from authentik.outposts.controllers.base import FIELD_MANAGER
|
from authentik.outposts.controllers.base import FIELD_MANAGER
|
||||||
from authentik.outposts.controllers.k8s.base import (
|
from authentik.outposts.controllers.k8s.base import (
|
||||||
|
Disabled,
|
||||||
KubernetesObjectReconciler,
|
KubernetesObjectReconciler,
|
||||||
NeedsUpdate,
|
NeedsUpdate,
|
||||||
)
|
)
|
||||||
|
@ -50,7 +51,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
|
||||||
expected_hosts = []
|
expected_hosts = []
|
||||||
expected_hosts_tls = []
|
expected_hosts_tls = []
|
||||||
for proxy_provider in ProxyProvider.objects.filter(
|
for proxy_provider in ProxyProvider.objects.filter(
|
||||||
outpost__in=[self.controller.outpost]
|
outpost__in=[self.controller.outpost],
|
||||||
|
forward_auth_mode=True,
|
||||||
):
|
):
|
||||||
proxy_provider: ProxyProvider
|
proxy_provider: ProxyProvider
|
||||||
external_host_name = urlparse(proxy_provider.external_host)
|
external_host_name = urlparse(proxy_provider.external_host)
|
||||||
|
@ -98,7 +100,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
|
||||||
rules = []
|
rules = []
|
||||||
tls_hosts = []
|
tls_hosts = []
|
||||||
for proxy_provider in ProxyProvider.objects.filter(
|
for proxy_provider in ProxyProvider.objects.filter(
|
||||||
outpost__in=[self.controller.outpost]
|
outpost__in=[self.controller.outpost],
|
||||||
|
forward_auth_mode=True,
|
||||||
):
|
):
|
||||||
proxy_provider: ProxyProvider
|
proxy_provider: ProxyProvider
|
||||||
external_host_name = urlparse(proxy_provider.external_host)
|
external_host_name = urlparse(proxy_provider.external_host)
|
||||||
|
@ -119,6 +122,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
rules.append(rule)
|
rules.append(rule)
|
||||||
|
if not rules:
|
||||||
|
raise Disabled()
|
||||||
tls_config = None
|
tls_config = None
|
||||||
if tls_hosts:
|
if tls_hosts:
|
||||||
tls_config = NetworkingV1beta1IngressTLS(
|
tls_config = NetworkingV1beta1IngressTLS(
|
||||||
|
|
Reference in a new issue