habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/proxy: don't create ingress for domains which use forwardAuth, don't create ingress at all if all providers are forward auth

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer
2021-05-05 17:53:12 +02:00
parent 3f8cd7ff13
commit be8b2bf6f6
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
authentik/outposts/controllers/k8s/base.py
View File

@ -29,6 +29,11 @@ class NeedsUpdate(ReconcileTrigger):
"""Exception to trigger an update to the Kubernetes Object""" """Exception to trigger an update to the Kubernetes Object"""
class Disabled(SentryIgnoredException):
"""Exception which can be thrown in a reconciler to signal than an
object should not be created."""
class KubernetesObjectReconciler(Generic[T]): class KubernetesObjectReconciler(Generic[T]):
"""Base Kubernetes Reconciler, handles the basic logic.""" """Base Kubernetes Reconciler, handles the basic logic."""
@ -50,7 +55,11 @@ class KubernetesObjectReconciler(Generic[T]):
def up(self): def up(self):
"""Create object if it doesn't exist, update if needed or recreate if needed.""" """Create object if it doesn't exist, update if needed or recreate if needed."""
current = None current = None
reference = self.get_reference_object() try:
reference = self.get_reference_object()
except Disabled:
self.logger.debug("Object not required")
return
try: try:
try: try:
current = self.retrieve() current = self.retrieve()

9
authentik/providers/proxy/controllers/k8s/ingress.py
View File

@ -17,6 +17,7 @@ from kubernetes.client.models.networking_v1beta1_ingress_rule import (
from authentik.outposts.controllers.base import FIELD_MANAGER from authentik.outposts.controllers.base import FIELD_MANAGER
from authentik.outposts.controllers.k8s.base import ( from authentik.outposts.controllers.k8s.base import (
Disabled,
KubernetesObjectReconciler, KubernetesObjectReconciler,
NeedsUpdate, NeedsUpdate,
) )
@ -50,7 +51,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
expected_hosts = [] expected_hosts = []
expected_hosts_tls = [] expected_hosts_tls = []
for proxy_provider in ProxyProvider.objects.filter( for proxy_provider in ProxyProvider.objects.filter(
outpost__in=[self.controller.outpost] outpost__in=[self.controller.outpost],
forward_auth_mode=True,
): ):
proxy_provider: ProxyProvider proxy_provider: ProxyProvider
external_host_name = urlparse(proxy_provider.external_host) external_host_name = urlparse(proxy_provider.external_host)
@ -98,7 +100,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
rules = [] rules = []
tls_hosts = [] tls_hosts = []
for proxy_provider in ProxyProvider.objects.filter( for proxy_provider in ProxyProvider.objects.filter(
outpost__in=[self.controller.outpost] outpost__in=[self.controller.outpost],
forward_auth_mode=True,
): ):
proxy_provider: ProxyProvider proxy_provider: ProxyProvider
external_host_name = urlparse(proxy_provider.external_host) external_host_name = urlparse(proxy_provider.external_host)
@ -119,6 +122,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
), ),
) )
rules.append(rule) rules.append(rule)
if not rules:
raise Disabled()
tls_config = None tls_config = None
if tls_hosts: if tls_hosts:
tls_config = NetworkingV1beta1IngressTLS( tls_config = NetworkingV1beta1IngressTLS(