diff --git a/stacks/platform/modules/traefik/main.tf b/stacks/platform/modules/traefik/main.tf index 3eced97b..a2df220c 100644 --- a/stacks/platform/modules/traefik/main.tf +++ b/stacks/platform/modules/traefik/main.tf @@ -481,7 +481,8 @@ resource "kubernetes_config_map" "auth_proxy_config" { auth_basic_user_file /etc/nginx/htpasswd; add_header X-authentik-username $remote_user always; add_header X-Auth-Fallback "true" always; - return 200; + root /usr/share/nginx/fallback; + try_files /ok =403; } location /outpost.goauthentik.io/ { @@ -503,6 +504,17 @@ resource "kubernetes_config_map" "auth_proxy_config" { } } +resource "kubernetes_config_map" "auth_proxy_fallback" { + metadata { + name = "auth-proxy-fallback" + namespace = kubernetes_namespace.traefik.metadata[0].name + } + + data = { + "ok" = "authenticated" + } +} + resource "kubernetes_deployment" "auth_proxy" { metadata { name = "auth-proxy" @@ -562,6 +574,11 @@ resource "kubernetes_deployment" "auth_proxy" { sub_path = "htpasswd" read_only = true } + volume_mount { + name = "fallback" + mount_path = "/usr/share/nginx/fallback" + read_only = true + } liveness_probe { http_get { @@ -603,6 +620,12 @@ resource "kubernetes_deployment" "auth_proxy" { secret_name = kubernetes_secret.auth_proxy_htpasswd.metadata[0].name } } + volume { + name = "fallback" + config_map { + name = kubernetes_config_map.auth_proxy_fallback.metadata[0].name + } + } } } } diff --git a/stacks/traefik/modules/traefik/middleware.tf b/stacks/traefik/modules/traefik/middleware.tf index 6e720e09..73755a21 100644 --- a/stacks/traefik/modules/traefik/middleware.tf +++ b/stacks/traefik/modules/traefik/middleware.tf @@ -19,6 +19,10 @@ resource "kubernetes_manifest" "middleware_rate_limit" { } } + field_manager { + force_conflicts = true + } + depends_on = [helm_release.traefik] }