From 8a60a7e26fd8fe6fd061e5e672ae18c7b84fca4c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 21 Dec 2021 12:04:54 +0100
Subject: [PATCH] providers/proxy: revert to static list of forwarded headers

wildcard is not usable for this since the regular expression doesn't support negative lookahead, meaning we would always forward all headers, including Connection and others

closes #1969

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 .../proxy/controllers/k8s/ingress.py          |  2 --
 .../proxy/controllers/k8s/traefik.py          | 28 +++++++++++++++++--
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py
index 2815f2a9d..7b4f10d5d 100644
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@@ -92,8 +92,6 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
             # Buffer sizes for large headers with JWTs
             "nginx.ingress.kubernetes.io/proxy-buffers-number": "4",
             "nginx.ingress.kubernetes.io/proxy-buffer-size": "16k",
-            # Ensure ingress can receive TLS traffic
-            "traefik.ingress.kubernetes.io/router.tls": "true",
         }
         annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations)
         return annotations
diff --git a/authentik/providers/proxy/controllers/k8s/traefik.py b/authentik/providers/proxy/controllers/k8s/traefik.py
index 7c29b7226..22b7a4f47 100644
--- a/authentik/providers/proxy/controllers/k8s/traefik.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik.py
@@ -101,6 +101,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
             != reference.spec.forwardAuth.authResponseHeadersRegex
         ):
             raise NeedsUpdate()
+        # Ensure all of our headers are set, others can be added by the user.
+        if not set(current.spec.forwardAuth.authResponseHeaders).issubset(
+            reference.spec.forwardAuth.authResponseHeaders
+        ):
+            raise NeedsUpdate()
 
     def get_reference_object(self) -> TraefikMiddleware:
         """Get deployment object for outpost"""
@@ -115,8 +120,27 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
             spec=TraefikMiddlewareSpec(
                 forwardAuth=TraefikMiddlewareSpecForwardAuth(
                     address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
-                    authResponseHeaders=[],
-                    authResponseHeadersRegex="^(Auth|Remote|X|Set).*$",
+                    authResponseHeaders=[
+                        # Legacy headers, remove after 2022.1
+                        "X-Auth-Username",
+                        "X-Auth-Groups",
+                        "X-Forwarded-Email",
+                        "X-Forwarded-Preferred-Username",
+                        "X-Forwarded-User",
+                        # New headers, unique prefix
+                        "X-authentik-username",
+                        "X-authentik-groups",
+                        "X-authentik-email",
+                        "X-authentik-name",
+                        "X-authentik-uid",
+                        "X-authentik-jwt",
+                        "X-authentik-meta-jwks",
+                        "X-authentik-meta-outpost",
+                        "X-authentik-meta-provider",
+                        "X-authentik-meta-app",
+                        "X-authentik-meta-version",
+                    ],
+                    authResponseHeadersRegex="",
                     trustForwardHeader=True,
                 )
             ),