outposts: use noop flag in each reconciler instead of raising Disabled and force use of get_referecen_object

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/outposts/controllers/k8s/base.py

@@ -30,11 +30,6 @@ class NeedsUpdate(ReconcileTrigger):
     """Exception to trigger an update to the Kubernetes Object"""
 
 
-class Disabled(SentryIgnoredException):
-    """Exception which can be thrown in a reconciler to signal than an
-    object should not be created."""
-
-
 class KubernetesObjectReconciler(Generic[T]):
     """Base Kubernetes Reconciler, handles the basic logic."""
 
@@ -45,6 +40,11 @@ class KubernetesObjectReconciler(Generic[T]):
         self.namespace = controller.outpost.config.kubernetes_namespace
         self.logger = get_logger().bind(type=self.__class__.__name__)
 
+    @property
+    def noop(self) -> bool:
+        """Return true if this object should not be created/updated/deleted in this cluster"""
+        return False
+
     @property
     def name(self) -> str:
         """Get the name of the object this reconciler manages"""
@@ -59,11 +59,10 @@ class KubernetesObjectReconciler(Generic[T]):
     def up(self):
         """Create object if it doesn't exist, update if needed or recreate if needed."""
         current = None
-        try:
-            reference = self.get_reference_object()
-        except Disabled:
-            self.logger.debug("Object not required")
+        if self.noop:
+            self.logger.debug("Object is noop")
             return
+        reference = self.get_reference_object()
         try:
             try:
                 current = self.retrieve()
@@ -92,11 +91,8 @@ class KubernetesObjectReconciler(Generic[T]):
 
     def down(self):
         """Delete object if found"""
-        # Call self.get_reference_object to check if we even need to do anything
-        try:
-            self.get_reference_object()
-        except Disabled:
-            self.logger.debug("Object not required")
+        if self.noop:
+            self.logger.debug("Object is noop")
             return
         try:
             current = self.retrieve()

authentik/outposts/controllers/kubernetes.py

@@ -8,7 +8,7 @@ from structlog.testing import capture_logs
 from yaml import dump_all
 
 from authentik.outposts.controllers.base import BaseController, ControllerException
-from authentik.outposts.controllers.k8s.base import Disabled, KubernetesObjectReconciler
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
 from authentik.outposts.controllers.k8s.deployment import DeploymentReconciler
 from authentik.outposts.controllers.k8s.secret import SecretReconciler
 from authentik.outposts.controllers.k8s.service import ServiceReconciler
@@ -89,10 +89,9 @@ class KubernetesController(BaseController):
         documents = []
         for reconcile_key in self.reconcile_order:
             reconciler = self.reconcilers[reconcile_key](self)
-            try:
-                documents.append(reconciler.get_reference_object().to_dict())
-            except Disabled:
+            if reconciler.noop:
                 continue
+            documents.append(reconciler.get_reference_object().to_dict())
 
         with StringIO() as _str:
             dump_all(

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -17,7 +17,6 @@ from kubernetes.client.models.networking_v1beta1_ingress_rule import (
 
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import (
-    Disabled,
     KubernetesObjectReconciler,
     NeedsUpdate,
 )
@@ -137,9 +136,6 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
                     ),
                 )
             rules.append(rule)
-        if not rules:
-            self.logger.debug("No providers use proxying, no ingress needed")
-            raise Disabled()
         tls_config = None
         if tls_hosts:
             tls_config = NetworkingV1beta1IngressTLS(

authentik/providers/proxy/controllers/k8s/traefik.py

@@ -7,7 +7,6 @@ from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi
 
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import (
-    Disabled,
     KubernetesObjectReconciler,
     NeedsUpdate,
 )
@@ -70,6 +69,18 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
         self.api_ex = ApiextensionsV1Api(controller.client)
         self.api = CustomObjectsApi(controller.client)
 
+    def noop(self) -> bool:
+        if not ProxyProvider.objects.filter(
+            outpost__in=[self.controller.outpost],
+            forward_auth_mode=True,
+        ).exists():
+            self.logger.debug("No providers with forward auth enabled.")
+            return True
+        if not self._crd_exists():
+            self.logger.debug("CRD doesn't exist")
+            return True
+        return False
+
     def _crd_exists(self) -> bool:
         """Check if the traefik middleware exists"""
         return bool(
@@ -87,15 +98,6 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
 
     def get_reference_object(self) -> TraefikMiddleware:
         """Get deployment object for outpost"""
-        if not ProxyProvider.objects.filter(
-            outpost__in=[self.controller.outpost],
-            forward_auth_mode=True,
-        ).exists():
-            self.logger.debug("No providers with forward auth enabled.")
-            raise Disabled()
-        if not self._crd_exists():
-            self.logger.debug("CRD doesn't exist")
-            raise Disabled()
         return TraefikMiddleware(
             apiVersion=f"{CRD_GROUP}/{CRD_VERSION}",
             kind="Middleware",