diff --git a/authentik/outposts/controllers/k8s/base.py b/authentik/outposts/controllers/k8s/base.py index 2e53abb4c2..96c2f94640 100644 --- a/authentik/outposts/controllers/k8s/base.py +++ b/authentik/outposts/controllers/k8s/base.py @@ -30,11 +30,6 @@ class NeedsUpdate(ReconcileTrigger): """Exception to trigger an update to the Kubernetes Object""" -class Disabled(SentryIgnoredException): - """Exception which can be thrown in a reconciler to signal than an - object should not be created.""" - - class KubernetesObjectReconciler(Generic[T]): """Base Kubernetes Reconciler, handles the basic logic.""" @@ -45,6 +40,11 @@ class KubernetesObjectReconciler(Generic[T]): self.namespace = controller.outpost.config.kubernetes_namespace self.logger = get_logger().bind(type=self.__class__.__name__) + @property + def noop(self) -> bool: + """Return true if this object should not be created/updated/deleted in this cluster""" + return False + @property def name(self) -> str: """Get the name of the object this reconciler manages""" @@ -59,11 +59,10 @@ class KubernetesObjectReconciler(Generic[T]): def up(self): """Create object if it doesn't exist, update if needed or recreate if needed.""" current = None - try: - reference = self.get_reference_object() - except Disabled: - self.logger.debug("Object not required") + if self.noop: + self.logger.debug("Object is noop") return + reference = self.get_reference_object() try: try: current = self.retrieve() @@ -92,11 +91,8 @@ class KubernetesObjectReconciler(Generic[T]): def down(self): """Delete object if found""" - # Call self.get_reference_object to check if we even need to do anything - try: - self.get_reference_object() - except Disabled: - self.logger.debug("Object not required") + if self.noop: + self.logger.debug("Object is noop") return try: current = self.retrieve() diff --git a/authentik/outposts/controllers/kubernetes.py b/authentik/outposts/controllers/kubernetes.py index b412ee9859..68363fabb0 100644 --- a/authentik/outposts/controllers/kubernetes.py +++ b/authentik/outposts/controllers/kubernetes.py @@ -8,7 +8,7 @@ from structlog.testing import capture_logs from yaml import dump_all from authentik.outposts.controllers.base import BaseController, ControllerException -from authentik.outposts.controllers.k8s.base import Disabled, KubernetesObjectReconciler +from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler from authentik.outposts.controllers.k8s.secret import SecretReconciler from authentik.outposts.controllers.k8s.service import ServiceReconciler @@ -89,10 +89,9 @@ class KubernetesController(BaseController): documents = [] for reconcile_key in self.reconcile_order: reconciler = self.reconcilers[reconcile_key](self) - try: - documents.append(reconciler.get_reference_object().to_dict()) - except Disabled: + if reconciler.noop: continue + documents.append(reconciler.get_reference_object().to_dict()) with StringIO() as _str: dump_all( diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py index e6356a244c..bf0c588ab6 100644 --- a/authentik/providers/proxy/controllers/k8s/ingress.py +++ b/authentik/providers/proxy/controllers/k8s/ingress.py @@ -17,7 +17,6 @@ from kubernetes.client.models.networking_v1beta1_ingress_rule import ( from authentik.outposts.controllers.base import FIELD_MANAGER from authentik.outposts.controllers.k8s.base import ( - Disabled, KubernetesObjectReconciler, NeedsUpdate, ) @@ -137,9 +136,6 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): ), ) rules.append(rule) - if not rules: - self.logger.debug("No providers use proxying, no ingress needed") - raise Disabled() tls_config = None if tls_hosts: tls_config = NetworkingV1beta1IngressTLS( diff --git a/authentik/providers/proxy/controllers/k8s/traefik.py b/authentik/providers/proxy/controllers/k8s/traefik.py index 1b3e15949a..7ce2b43cd9 100644 --- a/authentik/providers/proxy/controllers/k8s/traefik.py +++ b/authentik/providers/proxy/controllers/k8s/traefik.py @@ -7,7 +7,6 @@ from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi from authentik.outposts.controllers.base import FIELD_MANAGER from authentik.outposts.controllers.k8s.base import ( - Disabled, KubernetesObjectReconciler, NeedsUpdate, ) @@ -70,6 +69,18 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]) self.api_ex = ApiextensionsV1Api(controller.client) self.api = CustomObjectsApi(controller.client) + def noop(self) -> bool: + if not ProxyProvider.objects.filter( + outpost__in=[self.controller.outpost], + forward_auth_mode=True, + ).exists(): + self.logger.debug("No providers with forward auth enabled.") + return True + if not self._crd_exists(): + self.logger.debug("CRD doesn't exist") + return True + return False + def _crd_exists(self) -> bool: """Check if the traefik middleware exists""" return bool( @@ -87,15 +98,6 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware]) def get_reference_object(self) -> TraefikMiddleware: """Get deployment object for outpost""" - if not ProxyProvider.objects.filter( - outpost__in=[self.controller.outpost], - forward_auth_mode=True, - ).exists(): - self.logger.debug("No providers with forward auth enabled.") - raise Disabled() - if not self._crd_exists(): - self.logger.debug("CRD doesn't exist") - raise Disabled() return TraefikMiddleware( apiVersion=f"{CRD_GROUP}/{CRD_VERSION}", kind="Middleware",