From be8b2bf6f611222afbd3c45eea81717871a9b378 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 5 May 2021 17:53:12 +0200
Subject: [PATCH] providers/proxy: don't create ingress for domains which use
 forwardAuth, don't create ingress at all if all providers are forward auth

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/outposts/controllers/k8s/base.py           | 11 ++++++++++-
 authentik/providers/proxy/controllers/k8s/ingress.py |  9 +++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/authentik/outposts/controllers/k8s/base.py b/authentik/outposts/controllers/k8s/base.py
index 73faa1862..95abcc8b9 100644
--- a/authentik/outposts/controllers/k8s/base.py
+++ b/authentik/outposts/controllers/k8s/base.py
@@ -29,6 +29,11 @@ class NeedsUpdate(ReconcileTrigger):
     """Exception to trigger an update to the Kubernetes Object"""
 
 
+class Disabled(SentryIgnoredException):
+    """Exception which can be thrown in a reconciler to signal than an
+    object should not be created."""
+
+
 class KubernetesObjectReconciler(Generic[T]):
     """Base Kubernetes Reconciler, handles the basic logic."""
 
@@ -50,7 +55,11 @@ class KubernetesObjectReconciler(Generic[T]):
     def up(self):
         """Create object if it doesn't exist, update if needed or recreate if needed."""
         current = None
-        reference = self.get_reference_object()
+        try:
+            reference = self.get_reference_object()
+        except Disabled:
+            self.logger.debug("Object not required")
+            return
         try:
             try:
                 current = self.retrieve()
diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py
index 92d2d9fd6..79a9790d0 100644
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@@ -17,6 +17,7 @@ from kubernetes.client.models.networking_v1beta1_ingress_rule import (
 
 from authentik.outposts.controllers.base import FIELD_MANAGER
 from authentik.outposts.controllers.k8s.base import (
+    Disabled,
     KubernetesObjectReconciler,
     NeedsUpdate,
 )
@@ -50,7 +51,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
         expected_hosts = []
         expected_hosts_tls = []
         for proxy_provider in ProxyProvider.objects.filter(
-            outpost__in=[self.controller.outpost]
+            outpost__in=[self.controller.outpost],
+            forward_auth_mode=True,
         ):
             proxy_provider: ProxyProvider
             external_host_name = urlparse(proxy_provider.external_host)
@@ -98,7 +100,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
         rules = []
         tls_hosts = []
         for proxy_provider in ProxyProvider.objects.filter(
-            outpost__in=[self.controller.outpost]
+            outpost__in=[self.controller.outpost],
+            forward_auth_mode=True,
         ):
             proxy_provider: ProxyProvider
             external_host_name = urlparse(proxy_provider.external_host)
@@ -119,6 +122,8 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
                 ),
             )
             rules.append(rule)
+        if not rules:
+            raise Disabled()
         tls_config = None
         if tls_hosts:
             tls_config = NetworkingV1beta1IngressTLS(