Greetings, I've been noodling with this one for a few days now so any suggestions or help would be greatly appreciated. What I'm attempting to do as a test is protect the Traefik dashboard with forwardauth and authentik, but running into odd issues. Both Traefik and Authentik are deployed via helm on a K8 cluster, following their respective guides.
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES authentik-postgresql-0 1/1 Running 0 39h 10.244.3.82 k8s-worker1 <none> <none> authentik-redis-master-0 1/1 Running 0 39h 10.244.3.83 k8s-worker1 <none> <none> authentik-server-7df8799d5d-574s2 1/1 Running 1 (39h ago) 39h 10.244.5.123 k8s-worker3 <none> <none> authentik-worker-5c64f454c6-b8chw 1/1 Running 0 39h 10.244.5.122 k8s-worker3 <none> <none> NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES traefik-84b569c7db-xzzgm 1/1 Running 0 25h 10.244.5.124 k8s-worker3 <none> <none>
Traefik has a LB config running
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE traefik LoadBalancer 10.107.191.141 10.0.8.100 80:30483/TCP,443:32105/TCP 35h
Authentik is using the ingress
NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE authentik authentik traefik sso.domain.com 80 39h
and its services are just clusterip's with no externals
So what is happening right now is 1 of 2 things, I request https://traefik.domain.com and I get redirected to sso.domain.com for auth and then it dies there after auth (doesn't redirect back to https://traefik.domain.com/) or I get stuck in a loop of traefik > auth > traefik very quickly.
As far as I can tell from many google searches I believe my ingressroute is correct
--- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: traefik spec: entryPoints: - websecure routes: - kind: Rule match: "Host(`traefik.domain.com`)" middlewares: - name: authentik namespace: traefik priority: 10 services: - name: api@internal namespace: traefik kind: TraefikService - kind: Rule match: "Host(`traefik.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)" priority: 15 services: - kind: Service name: authentik namespace: authentik port: 80
And here's my middleware
apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: authentik namespace: traefik spec: forwardAuth: address: https://sso.domain.com/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - X-authentik-username - X-authentik-groups - X-authentik-email - X-authentik-name - X-authentik-uid - X-authentik-jwt - X-authentik-meta-jwks - X-authentik-meta-outpost - X-authentik-meta-provider - X-authentik-meta-app - X-authentik-meta-version
Anyone have any ideas?