outposts/proxy: fix traefik header regex to only match Remote- and X- headers to prevent websocket errors

closes #1969

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-20 13:30:19 +01:00
parent ba527e7141
commit ef23a0da52
4 changed files with 9 additions and 4 deletions

View file

@ -96,6 +96,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
super().reconcile(current, reference) super().reconcile(current, reference)
if current.spec.forwardAuth.address != reference.spec.forwardAuth.address: if current.spec.forwardAuth.address != reference.spec.forwardAuth.address:
raise NeedsUpdate() raise NeedsUpdate()
if (
current.spec.forwardAuth.authResponseHeadersRegex
!= reference.spec.forwardAuth.authResponseHeadersRegex
):
raise NeedsUpdate()
def get_reference_object(self) -> TraefikMiddleware: def get_reference_object(self) -> TraefikMiddleware:
"""Get deployment object for outpost""" """Get deployment object for outpost"""
@ -111,7 +116,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
forwardAuth=TraefikMiddlewareSpecForwardAuth( forwardAuth=TraefikMiddlewareSpecForwardAuth(
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik", address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
authResponseHeaders=[], authResponseHeaders=[],
authResponseHeadersRegex="^.*$", authResponseHeadersRegex="^(Remote|X).*$",
trustForwardHeader=True, trustForwardHeader=True,
) )
), ),

View file

@ -34,7 +34,7 @@ services:
# `authentik-proxy` refers to the service name in the compose file. # `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$$ traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^(Remote|X).*$$
restart: unless-stopped restart: unless-stopped
whoami: whoami:

View file

@ -9,7 +9,7 @@ spec:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeadersRegex: ^.*$ authResponseHeadersRegex: ^(Remote|X).*$
``` ```
Add the following settings to your IngressRoute Add the following settings to your IngressRoute

View file

@ -5,7 +5,7 @@ http:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeadersRegex: ^.*$ authResponseHeadersRegex: ^(Remote|X).*$
routers: routers:
default-router: default-router:
rule: "Host(`app.company`)" rule: "Host(`app.company`)"