ForwardAuth with Authentik on K8s

Traefik Traefik v2
, ,
1

Greetings, I've been noodling with this one for a few days now so any suggestions or help would be greatly appreciated. What I'm attempting to do as a test is protect the Traefik dashboard with forwardauth and authentik, but running into odd issues. Both Traefik and Authentik are deployed via helm on a K8 cluster, following their respective guides.

Pod wise

NAME                                READY   STATUS    RESTARTS      AGE   IP             NODE          NOMINATED NODE   READINESS GATES
authentik-postgresql-0              1/1     Running   0             39h   10.244.3.82    k8s-worker1   <none>           <none>
authentik-redis-master-0            1/1     Running   0             39h   10.244.3.83    k8s-worker1   <none>           <none>
authentik-server-7df8799d5d-574s2   1/1     Running   1 (39h ago)   39h   10.244.5.123   k8s-worker3   <none>           <none>
authentik-worker-5c64f454c6-b8chw   1/1     Running   0             39h   10.244.5.122   k8s-worker3   <none>           <none>

NAME                       READY   STATUS    RESTARTS   AGE   IP             NODE          NOMINATED NODE   READINESS GATES
traefik-84b569c7db-xzzgm   1/1     Running   0          25h   10.244.5.124   k8s-worker3   <none>           <none>

Traefik has a LB config running

NAME      TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
traefik   LoadBalancer   10.107.191.141   10.0.8.100    80:30483/TCP,443:32105/TCP   35h

Authentik is using the ingress

NAMESPACE   NAME        CLASS     HOSTS                        ADDRESS   PORTS   AGE
authentik   authentik   traefik   sso.domain.com             80      39h

and its services are just clusterip's with no externals

So what is happening right now is 1 of 2 things, I request https://traefik.domain.com and I get redirected to sso.domain.com for auth and then it dies there after auth (doesn't redirect back to https://traefik.domain.com/) or I get stuck in a loop of traefik > auth > traefik very quickly.

As far as I can tell from many google searches I believe my ingressroute is correct

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik

spec:
  entryPoints:
    - websecure

  routes:
        - kind: Rule
          match: "Host(`traefik.domain.com`)"
          middlewares:
              - name: authentik
                namespace: traefik
          priority: 10
          services:
              - name: api@internal
                namespace: traefik
                kind: TraefikService
        - kind: Rule
          match: "Host(`traefik.domain.com`) && PathPrefix(`/outpost.goauthentik.io/`)"
          priority: 15
          services:
              - kind: Service
                name: authentik
                namespace: authentik
                port: 80

And here's my middleware

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
    name: authentik
    namespace: traefik
spec:
    forwardAuth:
        address: https://sso.domain.com/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
            - X-authentik-username
            - X-authentik-groups
            - X-authentik-email
            - X-authentik-name
            - X-authentik-uid
            - X-authentik-jwt
            - X-authentik-meta-jwks
            - X-authentik-meta-outpost
            - X-authentik-meta-provider
            - X-authentik-meta-app
            - X-authentik-meta-version

Anyone have any ideas?
TIA!

2

Did you search for tutorials? I found this one, maybe it helps.

3

Greetings thank you for the reply, but yes that is one of the many guides I found online and caused the same behavior of loop or blank page landings.

Thanks!

5

Hi, did you find a solution yet? I'm struggling with the same setup at the moment...
What I've learned so far:

  • Use private browser windows for testing or delete cookies all the time, otherwise unexpected things may happen (CORS issues etc.)
  • What fixed the infinite redirect loop for me was to NOT use the external URL/hostname in the middleware definition, so instead of
address: https://sso.domain.com/outpost.goauthentik.io/auth/traefik

something like

address: https://atuhentik-service.namespace.svc.cluster.local/outpost.goauthentik.io/auth/traefik

Also check which ports your authentik service is listening on. In my case it is just 80 so I went with http instead of https.
I don't know if this is the best setup, I'm just happy that it is working for the first time now... Also I don't understand why it is not working correctly with the external URL...