search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.53k stars 843 forks source link

Failed to fetch outpost configuration #9673

Open Jeppedy opened 3 months ago

Jeppedy commented 3 months ago

Describe the bug Logs are being spammed with the following: INF auth_via=unauthenticated domain_url=0.0.0.0 event=/api/v3/outposts/instances/ host=0.0.0.0:9000 logger=authentik.asgi method=GET pid=42 remote=127.0.0.1 request_id=2f6cf7e717654ec1aff612ebc595bc70 runtime=11 schema_name=public scheme=http status=403 timestamp=2024-05-10T02:01:07.595703 user= user_agent=goauthentik.io/outpost/2024.2.2 ERR error=403 Forbidden event=Failed to fetch outpost configuration, retrying in 3 seconds logger=authentik.outpost.ak-api-controller timestamp=2024-05-10T02:01:07Z

To Reproduce I simply installed, it's been running for weeks. Supporting 5+ applications. I happened to check my logs and these messages are coming every three seconds, constantly.

Expected behavior No log entries

Screenshots n/a

Logs INF auth_via=unauthenticated domain_url=0.0.0.0 event=/api/v3/outposts/instances/ host=0.0.0.0:9000 logger=authentik.asgi method=GET pid=42 remote=127.0.0.1 request_id=2f6cf7e717654ec1aff612ebc595bc70 runtime=11 schema_name=public scheme=http status=403 timestamp=2024-05-10T02:01:07.595703 user= user_agent=goauthentik.io/outpost/2024.2.2 ERR error=403 Forbidden event=Failed to fetch outpost configuration, retrying in 3 seconds logger=authentik.outpost.ak-api-controller timestamp=2024-05-10T02:01:07Z

Version and Deployment (please complete the following information):

Additional context Docker Compose file:

---
version: "3.4"

services:
  postgresql:
    image: docker.io/library/postgres:12-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - /home/jherr/docker-containers/authentik/database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}
    env_file:
      - stack.env
  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - /home/jherr/docker-containers/authentik/redis:/data
  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
    restart: unless-stopped
    command: server
    environment:
      #AUTHENTIK_LISTEN__HTTP: 0.0.0.0:9000  #Added to try to fix things
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - /home/jherr/docker-containers/authentik/media:/media
      - /home/jherr/docker-containers/authentik/custom-templates:/templates
    env_file:
      - stack.env
    ports:
      - ${AUTHENTIK_PORT_HTTP:-9000}:9000
      - ${AUTHENTIK_PORT_HTTPS:-9443}:9443
    depends_on:
      - postgresql
      - redis
  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.2.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/jherr/docker-containers/authentik/media:/media
      - /home/jherr/docker-containers/authentik/certs:/certs
      - /home/jherr/docker-containers/authentik/custom-templates:/templates
    env_file:
      - stack.env
    depends_on:
      - postgresql
      - redis
authentik-automation[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

alex4108 commented 1 month ago

I am reproducing with fresh install of 2024.6.0, k8s deployment spec:

spec:
  containers:
  - name: authentik
    image: ghcr.io/goauthentik/server:2024.6.0
    args: ["server"]
    readinessProbe:
      httpGet:
        path: /-/health/ready/
        port: 9000
      initialDelaySeconds: 5
      periodSeconds: 10
    livenessProbe:
      httpGet:
        path: /-/health/live/
        port: 9000
      initialDelaySeconds: 5
      periodSeconds: 10
    env:
    - name: AUTHENTIK_REDIS__HOST
      value: "redis.redis"
    - name: AUTHENTIK_REDIS__PORT
      value: "6379"
    - name: AUTHENTIK_REDIS__DB
      value: "0"
    - name: AUTHENTIK_POSTGRESQL__HOST
      value: "psqlcluster.postgres-operator-system.svc.cluster.local"
    - name: AUTHENTIK_POSTGRESQL__USER
      valueFrom:
        secretKeyRef:
          name: authentik.authentik.psqlcluster.credentials.postgresql.acid.zalan.do
          key: username
    - name: AUTHENTIK_POSTGRESQL__NAME
      value: authentik
    - name: AUTHENTIK_POSTGRESQL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: authentik.authentik.psqlcluster.credentials.postgresql.acid.zalan.do
          key: password
    - name: AUTHENTIK_POSTGRESQL__SSLMODE
      value: require
    - name: AUTHENTIK_POSTGRESQL__USE_PGBOUNCER
      value: 'true'
    # On fresh init, comment READ_REPLICAS settings (fixed after 2024.6.0)
    # - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST
    #   value: "psqlcluster-repl.postgres-operator-system.svc.cluster.local"
    # - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME
    #   value: authentik
    # - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER
    #   valueFrom:
    #     secretKeyRef:
    #       name: authentik.authentik.psqlcluster.credentials.postgresql.acid.zalan.do
    #       key: username
    # - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT
    #   value: "5432"
    # - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD
    #   valueFrom:
    #     secretKeyRef:
    #       name: authentik.authentik.psqlcluster.credentials.postgresql.acid.zalan.do
    #       key: password
    # - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__SSLMODE
    #   value: "require"
    - name: AUTHENTIK_EMAIL__HOST
      value: "mail.xxx.com"
    - name: AUTHENTIK_EMAIL__PORT
      value: "587"
    - name: AUTHENTIK_EMAIL__USERNAME
      valueFrom:
        secretKeyRef:
          name: smtp
          key: username
    - name: AUTHENTIK_EMAIL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: smtp
          key: password
    - name: AUTHENTIK_EMAIL__USE_TLS
      value: "true"
    - name: AUTHENTIK_EMAIL__USE_SSL
      value: "false"
    - name: AUTHENTIK_EMAIL__TIMEOUT
      value: "10"
    - name: AUTHENTIK_EMAIL__FROM
      valueFrom:
        secretKeyRef:
          name: smtp
          key: username
    - name: AUTHENTIK_SECRET_KEY
      valueFrom:
        secretKeyRef:
          name: authentik-secret-key
          key: secret
    volumeMounts:
    - mountPath: /media
      name: media
    ports:
    - containerPort: 9000
    - containerPort: 9443
    - containerPort: 3389
    - containerPort: 6636
    securityContext:
      allowPrivilegeEscalation: false
      runAsUser: 0
  volumes:
  - name: media
    persistentVolumeClaim:
      claimName: media2-pvc
BeryJu commented 1 week ago

This can happen when either the "Embedded outpost" object in authentik was deleted or modified incorrectly (I think there was also a bug that caused this at some point since the field responsible for this is not exposed).

In the authentik-server container you can run ak shell and the paste Outpost.objects.filter(name="authentik Embedded Outpost").update(managed="goauthentik.io/outposts/embedded") into that shell, that should fix the issue (assuming the embedded outpost object exists)