outposts/proxy: fix traefik header regex to only match Remote- and X- headers to prevent websocket errors

closes #1969

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-20 13:30:19 +01:00
parent ba527e7141
commit ef23a0da52
4 changed files with 9 additions and 4 deletions

View file

@ -96,6 +96,11 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
super().reconcile(current, reference)
if current.spec.forwardAuth.address != reference.spec.forwardAuth.address:
raise NeedsUpdate()
if (
current.spec.forwardAuth.authResponseHeadersRegex
!= reference.spec.forwardAuth.authResponseHeadersRegex
):
raise NeedsUpdate()
def get_reference_object(self) -> TraefikMiddleware:
"""Get deployment object for outpost"""
@ -111,7 +116,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
forwardAuth=TraefikMiddlewareSpecForwardAuth(
address=f"http://{self.name}.{self.namespace}:9000/akprox/auth/traefik",
authResponseHeaders=[],
authResponseHeadersRegex="^.*$",
authResponseHeadersRegex="^(Remote|X).*$",
trustForwardHeader=True,
)
),

View file

@ -34,7 +34,7 @@ services:
# `authentik-proxy` refers to the service name in the compose file.
traefik.http.middlewares.authentik.forwardauth.address: http://authentik-proxy:9000/akprox/auth/traefik
traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^.*$$
traefik.http.middlewares.authentik.forwardauth.authResponseHeadersRegex: ^(Remote|X).*$$
restart: unless-stopped
whoami:

View file

@ -9,7 +9,7 @@ spec:
forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true
authResponseHeadersRegex: ^.*$
authResponseHeadersRegex: ^(Remote|X).*$
```
Add the following settings to your IngressRoute

View file

@ -5,7 +5,7 @@ http:
forwardAuth:
address: http://outpost.company:9000/akprox/auth/traefik
trustForwardHeader: true
authResponseHeadersRegex: ^.*$
authResponseHeadersRegex: ^(Remote|X).*$
routers:
default-router:
rule: "Host(`app.company`)"