search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.92k stars 612 forks source link

Automatic Outpost Deployment via Docker Integration prodouces invalid Traefik Labels #9786

Open Hypercookie opened 1 month ago

Hypercookie commented 1 month ago

Describe the bug When deploying a proxy outpost labels are added automatically which add the outpost to Traefik. For each single-forward provider a Host(<host>) label has to be used. Authentik generates these as Host(<host>, <host>, ...) which is not possible anymore since Traefik v3.0 (See here and here). This leads to an invalid deployment of the outpost which makes it defacto unusable for users with Traefik >v3.0 since the label can not be disabled as far as I can tell.

To Reproduce Deploy a proxy outpost with multilple providers on a system with Traefik > v3.0 which uses the docker label integration

Expected behavior Authentik should generate a valid label.

Logs "error while adding rule Host(`<redacted>`,`<redacted>`,`<redacted>`) && PathPrefix(`/outpost.goauthentik.io`): error while adding rule and: error while adding rule Host: unexpected number of parameters; got 3, expected one of [1]"

Version and Deployment (please complete the following information):

LeonMusCoden commented 1 month ago

Experiencing the same issue when switching to traefik v3.

DriftDevil commented 1 month ago

I'm also getting the same issue. One inconvenient workaround (FYI, I am using Portainer to manage my docker containers/stacks), is to go to the container that was automatically created via outposts, duplicate/edit the container, click on Labels, and then edit the router rule. image image image

image e.g. (Host(`a.domain.tld`) || Host(`b.domain.tld`)) && PathPrefix(`/outpost.goauthentik.io`)

DriftDevil commented 4 weeks ago

Found the code in the repo that would need to be updated:

authentik/providers/proxy/controllers/docker.py:get_labels:Line:~31

    labels[f"traefik.http.routers.{traefik_name}-router.rule"] = (
        f"Host({','.join(hosts)}) && PathPrefix(`/outpost.goauthentik.io`)"
    )

Something along the lines of the following:

labels[f"traefik.http.routers.{traefik_name}-router.rule"] = (
  f"({' || '.join([f'Host(`{host}`)' for host in hosts])}) && PathPrefix(`/outpost.goauthentik.io`)"
)
Aetherinox commented 2 weeks ago

I'm also getting the same issue. One inconvenient workaround (FYI, I am using Portainer to manage my docker containers/stacks), is to go to the container that was automatically created via outposts, duplicate/edit the container, click on Labels, and then edit the router rule. image image image

image e.g. (Host(a.domain.tld) || Host(b.domain.tld)) && PathPrefix(/outpost.goauthentik.io)

Thanks for this. That worked good.

Wondering if I can just add the authentik/proxy image to my docker-compose and set it up manually myself so that I can bring it up / down without needing to edit the label in portainer.

rissson commented 2 weeks ago

Would you be willing to open a PR for this?

DriftDevil commented 1 week ago

I'll try and see if I can. I'll have to set an environment up. Thanks.