habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/proxy: use wildcard for traefik headers copy

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
2021-12-01 20:19:35 +01:00
parent 60b95271eb
commit 7aa8e35f87
4 changed files with 5 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
authentik/providers/proxy/controllers/k8s/traefik.py
View File

@ -20,7 +20,7 @@ class TraefikMiddlewareSpecForwardAuth:
address: str address: str
# pylint: disable=invalid-name # pylint: disable=invalid-name
authResponseHeaders: list[str] authResponseHeadersRegex: str
# pylint: disable=invalid-name # pylint: disable=invalid-name
trustForwardHeader: bool trustForwardHeader: bool
@ -108,21 +108,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
spec=TraefikMiddlewareSpec( spec=TraefikMiddlewareSpec(
forwardAuth=TraefikMiddlewareSpecForwardAuth( forwardAuth=TraefikMiddlewareSpecForwardAuth(
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik", address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
authResponseHeaders=[ authResponseHeadersRegex="^.*$",
"Set-Cookie",
# Legacy headers, remove after 2022.1
"X-Auth-Username",
"X-Auth-Groups",
"X-Forwarded-Email",
"X-Forwarded-Preferred-Username",
"X-Forwarded-User",
# New headers, unique prefix
"X-authentik-username",
"X-authentik-groups",
"X-authentik-email",
"X-authentik-name",
"X-authentik-uid",
],
trustForwardHeader=True, trustForwardHeader=True,
) )
), ),

2
website/docs/providers/proxy/_traefik_compose.md
View File

@ -50,7 +50,7 @@ services:
traefik.http.routers.authentik.tls: true traefik.http.routers.authentik.tls: true
traefik.http.middlewares.authentik.forwardauth.address: http://outpost.company:9000/akprox/auth/traefik traefik.http.middlewares.authentik.forwardauth.address: http://outpost.company:9000/akprox/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$
restart: unless-stopped restart: unless-stopped
whoami: whoami:

8
website/docs/providers/proxy/_traefik_ingress.md
View File

@ -9,13 +9,7 @@ spec:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeadersRegex: ^.*$
- Set-Cookie
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
``` ```
Add the following settings to your IngressRoute Add the following settings to your IngressRoute

8
website/docs/providers/proxy/_traefik_standalone.md
View File

@ -5,13 +5,7 @@ http:
forwardAuth: forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeadersRegex: ^.*$
- Set-Cookie
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
routers: routers:
default-router: default-router:
rule: "Host(`app.company`)" rule: "Host(`app.company`)"