providers/proxy: use wildcard for traefik headers copy

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-12-01 20:19:35 +01:00 · 2021-12-01 20:19:35 +01:00 · 7aa8e35f87
parent 60b95271eb
commit 7aa8e35f87
4 changed files with 5 additions and 31 deletions
--- a/authentik/providers/proxy/controllers/k8s/traefik.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik.py
@ -20,7 +20,7 @@ class TraefikMiddlewareSpecForwardAuth:

    address: str
    # pylint: disable=invalid-name
-    authResponseHeaders: list[str]
+    authResponseHeadersRegex: str
    # pylint: disable=invalid-name
    trustForwardHeader: bool

@ -108,21 +108,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
            spec=TraefikMiddlewareSpec(
                forwardAuth=TraefikMiddlewareSpecForwardAuth(
                    address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
-                    authResponseHeaders=[
-                        "Set-Cookie",
-                        # Legacy headers, remove after 2022.1
-                        "X-Auth-Username",
-                        "X-Auth-Groups",
-                        "X-Forwarded-Email",
-                        "X-Forwarded-Preferred-Username",
-                        "X-Forwarded-User",
-                        # New headers, unique prefix
-                        "X-authentik-username",
-                        "X-authentik-groups",
-                        "X-authentik-email",
-                        "X-authentik-name",
-                        "X-authentik-uid",
-                    ],
+                    authResponseHeadersRegex="^.*$",
                    trustForwardHeader=True,
                )
            ),
--- a/website/docs/providers/proxy/_traefik_compose.md
+++ b/website/docs/providers/proxy/_traefik_compose.md
@ -50,7 +50,7 @@ services:
      traefik.http.routers.authentik.tls: true
      traefik.http.middlewares.authentik.forwardauth.address: http://outpost.company:9000/akprox/auth/traefik
      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
-      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
+      traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$
    restart: unless-stopped

  whoami:
--- a/website/docs/providers/proxy/_traefik_ingress.md
+++ b/website/docs/providers/proxy/_traefik_ingress.md
@ -9,13 +9,7 @@ spec:
  forwardAuth:
    address: http://outpost.company:9000/akprox/auth/traefik
    trustForwardHeader: true
-    authResponseHeaders:
-      - Set-Cookie
-      - X-authentik-username
-      - X-authentik-groups
-      - X-authentik-email
-      - X-authentik-name
-      - X-authentik-uid
+    authResponseHeadersRegex: ^.*$
 ```

 Add the following settings to your IngressRoute
--- a/website/docs/providers/proxy/_traefik_standalone.md
+++ b/website/docs/providers/proxy/_traefik_standalone.md
@ -5,13 +5,7 @@ http:
      forwardAuth:
        address: http://outpost.company:9000/akprox/auth/traefik
        trustForwardHeader: true
-        authResponseHeaders:
-          - Set-Cookie
-          - X-authentik-username
-          - X-authentik-groups
-          - X-authentik-email
-          - X-authentik-name
-          - X-authentik-uid
+        authResponseHeadersRegex: ^.*$
  routers:
    default-router:
      rule: "Host(`app.company`)"