goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.79k stars 928 forks source link

Kubernetes standalone outpost gives Failed to fetch outpost configuration... error="403 Forbidden" #11454

Open crazyelectron-io opened 2 months ago

crazyelectron-io commented 2 months ago

Installed Authentik on Kubernetes (K3s v1.30.1) using Helm. Works fine for OAuth. I want ro use a separate outpost and created it using the example manifests (just replacing the __AUTHENTIK_XXXX__ values). It doesn't seem to work because the log of the Outpost Pod is flooded with:

level=error event="Failed to fetch outpost configuration, retrying in 3 seconds" error="403 Forbidden" logger=authentik.outpost.ak-api-controller

Since it seems to be an autehntication issue I wonder if it has to do with the'__AUTHENTIK_TOKEN__' value specified in the Secret. There is no 'token' value in the Authentik Helm chart values file, so I'm not sure what to put there and if it is related to the issue.

Version and Deployment:

Additional context: The manifests used (through Ansible):

- name: Ensure the token Secret for Authentik Outpost
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        labels:
          app.kubernetes.io/instance: "{{authentik_outpost_name}}"
          app.kubernetes.io/managed-by: goauthentik.io
          app.kubernetes.io/name: authentik-proxy
          app.kubernetes.io/version: "{{authentik_chart_version}}"
        name: authentik-outpost-api
        namespace: "{{authentik_namespace}}"
      stringData:
        authentik_host: "http://authentik-authserver.{{authentik_namespace}}.svc.cluster.local:80"
        authentik_host_insecure: "true"
        token: "{{authentik_token}}"
      type: Opaque

- name: Ensure the Outpost Service for Authentik
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Service
      metadata:
        labels:
          app.kubernetes.io/instance: "{{authentik_outpost_name}}"
          app.kubernetes.io/managed-by: goauthentik.io
          app.kubernetes.io/name: authentik-proxy
          app.kubernetes.io/version: "{{authentik_chart_version}}"
        name: authentik-outpost
        namespace: "{{authentik_namespace}}"
      spec:
        ports:
          - name: http
            port: 9000
            protocol: TCP
            targetPort: http
          - name: https
            port: 9443
            protocol: TCP
            targetPort: https
        type: ClusterIP
        selector:
          app.kubernetes.io/managed-by: goauthentik.io
          app.kubernetes.io/name: authentik-outpost
          app.kubernetes.io/instance: "{{authentik_outpost_name}}"

- name: Ensure the Outpost Deployment for Authentik
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        labels:
          app.kubernetes.io/instance: "{{authentik_outpost_name}}"
          app.kubernetes.io/managed-by: goauthentik.io
          app.kubernetes.io/name: authentik-proxy
          app.kubernetes.io/version: "{{authentik_chart_version}}"
        name: authentik-outpost
        namespace: "{{authentik_namespace}}"
      spec:
        selector:
          matchLabels:
            app.kubernetes.io/instance: "{{authentik_outpost_name}}"
            app.kubernetes.io/managed-by: goauthentik.io
            app.kubernetes.io/name: authentik-proxy
            app.kubernetes.io/version: "{{authentik_chart_version}}"
        template:
          metadata:
            labels:
              app.kubernetes.io/instance: "{{authentik_outpost_name}}"
              app.kubernetes.io/managed-by: goauthentik.io
              app.kubernetes.io/name: authentik-proxy
              app.kubernetes.io/version: "{{authentik_chart_version}}"
          spec:
            containers:
              - name: authentik-proxy
                image: "{{harbor_registry}}/authentik-proxy:latest"
                env:
                  - name: AUTHENTIK_HOST
                    valueFrom:
                      secretKeyRef:
                        key: authentik_host
                        name: authentik-outpost-api
                  - name: AUTHENTIK_TOKEN
                    valueFrom:
                      secretKeyRef:
                        key: token
                        name: authentik-outpost-api
                  - name: AUTHENTIK_INSECURE
                    valueFrom:
                      secretKeyRef:
                        key: authentik_host_insecure
                        name: authentik-outpost-api
                  - name: AUTHENTIK_DEBUG
                    value: "true"
                ports:
                  - containerPort: 9000
                    name: http
                    protocol: TCP
                  - containerPort: 9443
                    name: https
                    protocol: TCP
Darkfella91 commented 2 months ago

When you create a managed proxy outpost in the Web UI it will show deployment info on the right, you click there and a window will pop up and from there you can copy the generate token for that outpost. 1