outposts/proxy: fix traefik header regex to only match Remote- and X- headers to prevent websocket errors
closes #1969 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
ba527e7141
commit
ef23a0da52
|
@ -96,6 +96,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
|
||||||
super().reconcile(current, reference)
|
super().reconcile(current, reference)
|
||||||
if current.spec.forwardAuth.address != reference.spec.forwardAuth.address:
|
if current.spec.forwardAuth.address != reference.spec.forwardAuth.address:
|
||||||
raise NeedsUpdate()
|
raise NeedsUpdate()
|
||||||
|
if (
|
||||||
|
current.spec.forwardAuth.authResponseHeadersRegex
|
||||||
|
!= reference.spec.forwardAuth.authResponseHeadersRegex
|
||||||
|
):
|
||||||
|
raise NeedsUpdate()
|
||||||
|
|
||||||
def get_reference_object(self) -> TraefikMiddleware:
|
def get_reference_object(self) -> TraefikMiddleware:
|
||||||
"""Get deployment object for outpost"""
|
"""Get deployment object for outpost"""
|
||||||
|
@ -111,7 +116,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
|
||||||
forwardAuth=TraefikMiddlewareSpecForwardAuth(
|
forwardAuth=TraefikMiddlewareSpecForwardAuth(
|
||||||
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
|
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
|
||||||
authResponseHeaders=[],
|
authResponseHeaders=[],
|
||||||
authResponseHeadersRegex="^.*$",
|
authResponseHeadersRegex="^(Remote|X).*$",
|
||||||
trustForwardHeader=True,
|
trustForwardHeader=True,
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
|
|
|
@ -34,7 +34,7 @@ services:
|
||||||
# `authentik-proxy` refers to the service name in the compose file.
|
# `authentik-proxy` refers to the service name in the compose file.
|
||||||
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
|
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
|
||||||
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
|
||||||
traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$$
|
traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^(Remote|X).*$$
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
||||||
whoami:
|
whoami:
|
||||||
|
|
|
@ -9,7 +9,7 @@ spec:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://outpost.company:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/akprox/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeadersRegex: ^.*$
|
authResponseHeadersRegex: ^(Remote|X).*$
|
||||||
```
|
```
|
||||||
|
|
||||||
Add the following settings to your IngressRoute
|
Add the following settings to your IngressRoute
|
||||||
|
|
|
@ -5,7 +5,7 @@ http:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: http://outpost.company:9000/akprox/auth/traefik
|
address: http://outpost.company:9000/akprox/auth/traefik
|
||||||
trustForwardHeader: true
|
trustForwardHeader: true
|
||||||
authResponseHeadersRegex: ^.*$
|
authResponseHeadersRegex: ^(Remote|X).*$
|
||||||
routers:
|
routers:
|
||||||
default-router:
|
default-router:
|
||||||
rule: "Host(`app.company`)"
|
rule: "Host(`app.company`)"
|
||||||
|
|
Reference in a new issue