Automatic Outpost Deployment via Docker Integration prodouces invalid Traefik Labels

[Hypercookie]

Describe the bug When deploying a proxy outpost labels are added automatically which add the outpost to Traefik. For each single-forward provider a Host(<host>) label has to be used. Authentik generates these as Host(<host>, <host>, ...) which is not possible anymore since Traefik v3.0 (See here and here). This leads to an invalid deployment of the outpost which makes it defacto unusable for users with Traefik >v3.0 since the label can not be disabled as far as I can tell.

To Reproduce Deploy a proxy outpost with multilple providers on a system with Traefik > v3.0 which uses the docker label integration

Expected behavior Authentik should generate a valid label.

Logs "error while adding rule Host(`<redacted>`,`<redacted>`,`<redacted>`) && PathPrefix(`/outpost.goauthentik.io`): error while adding rule and: error while adding rule Host: unexpected number of parameters; got 3, expected one of [1]"

Version and Deployment (please complete the following information):

• authentik version: 2024.4.2
• Deployment: docker-compose

[LeonMusCoden]

Experiencing the same issue when switching to traefik v3.

[DriftDevil]

I'm also getting the same issue. One inconvenient workaround (FYI, I am using Portainer to manage my docker containers/stacks), is to go to the container that was automatically created via outposts, duplicate/edit the container, click on Labels, and then edit the router rule.

e.g. (Host(`a.domain.tld`) || Host(`b.domain.tld`)) && PathPrefix(`/outpost.goauthentik.io`)

[DriftDevil]

Found the code in the repo that would need to be updated:

authentik/providers/proxy/controllers/docker.py:get_labels:Line:~31

    labels[f"traefik.http.routers.{traefik_name}-router.rule"] = (
        f"Host({','.join(hosts)}) && PathPrefix(`/outpost.goauthentik.io`)"
    )

Something along the lines of the following:

labels[f"traefik.http.routers.{traefik_name}-router.rule"] = (
  f"({' || '.join([f'Host(`{host}`)' for host in hosts])}) && PathPrefix(`/outpost.goauthentik.io`)"
)

[Aetherinox]

I'm also getting the same issue. One inconvenient workaround (FYI, I am using Portainer to manage my docker containers/stacks), is to go to the container that was automatically created via outposts, duplicate/edit the container, click on Labels, and then edit the router rule.

e.g. (Host(a.domain.tld) || Host(b.domain.tld)) && PathPrefix(/outpost.goauthentik.io)

Thanks for this. That worked good.

Wondering if I can just add the authentik/proxy image to my docker-compose and set it up manually myself so that I can bring it up / down without needing to edit the label in portainer.

[rissson]

Would you be willing to open a PR for this?

[DriftDevil]

I'll try and see if I can. I'll have to set an environment up. Thanks.

[dandrade-wave]

Hi, you have a bug there:

labels[f"traefik.http.routers.{traefik_name}-router.rule"] = (
  f"({' || '.join([f'Host(`{host}`)' for host in hosts])}) && PathPrefix(`/outpost.goauthentik.io`)"
)

should be:

labels[f"traefik.http.routers.{traefik_name}-router.rule"] = (
  f"({' || '.join([f'Host({host})' for host in hosts])}) && PathPrefix(`/outpost.goauthentik.io`)"
)

with the current version is generating something like this

(Host(``whoami.localhost``)) && PathPrefix(`/outpost.goauthentik.io`)

the double quote gives a error on traefik.

Can you fixed?

[rissson]

Feel free to open a PR