providers/proxy: don't create ingress for domains which use forwardAuth, don't create ingress at all if all providers are forward auth

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-05-05 17:53:12 +02:00
parent 3f8cd7ff13
commit be8b2bf6f6
2 changed files with 17 additions and 3 deletions

View file

@ -29,6 +29,11 @@ class NeedsUpdate(ReconcileTrigger):
"""Exception to trigger an update to the Kubernetes Object"""
class Disabled(SentryIgnoredException):
"""Exception which can be thrown in a reconciler to signal than an
object should not be created."""
class KubernetesObjectReconciler(Generic[T]):
"""Base Kubernetes Reconciler, handles the basic logic."""
@ -50,7 +55,11 @@ class KubernetesObjectReconciler(Generic[T]):
def up(self):
"""Create object if it doesn't exist, update if needed or recreate if needed."""
current = None
try:
reference = self.get_reference_object()
except Disabled:
self.logger.debug("Object not required")
return
try:
try:
current = self.retrieve()

View file

@ -17,6 +17,7 @@ from kubernetes.client.models.networking_v1beta1_ingress_rule import (
from authentik.outposts.controllers.base import FIELD_MANAGER
from authentik.outposts.controllers.k8s.base import (
Disabled,
KubernetesObjectReconciler,
NeedsUpdate,
)
@ -50,7 +51,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
expected_hosts = []
expected_hosts_tls = []
for proxy_provider in ProxyProvider.objects.filter(
outpost__in=[self.controller.outpost]
outpost__in=[self.controller.outpost],
forward_auth_mode=True,
):
proxy_provider: ProxyProvider
external_host_name = urlparse(proxy_provider.external_host)
@ -98,7 +100,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
rules = []
tls_hosts = []
for proxy_provider in ProxyProvider.objects.filter(
outpost__in=[self.controller.outpost]
outpost__in=[self.controller.outpost],
forward_auth_mode=True,
):
proxy_provider: ProxyProvider
external_host_name = urlparse(proxy_provider.external_host)
@ -119,6 +122,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
),
)
rules.append(rule)
if not rules:
raise Disabled()
tls_config = None
if tls_hosts:
tls_config = NetworkingV1beta1IngressTLS(