tests/e2e: add forward auth e2e test (#11374)

* add nginx forward_auth e2e tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add envoy Signed-off-by: Jens Langhammer <jens@goauthentik.io> * cleanup Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove even more duplicate code Signed-off-by: Jens Langhammer <jens@goauthentik.io> * cleanup more Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add traefik static config Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more cleanup, don't generate dex config cause they support env variables Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use default dex entrypoint to use templating Signed-off-by: Jens Langhammer <jens@goauthentik.io> * remove options that are always set as default Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix compose flag Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add caddy Signed-off-by: Jens Langhammer <jens@goauthentik.io> * merge python files Signed-off-by: Jens Langhammer <jens@goauthentik.io> * use whoami api to check better Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix envoy config Signed-off-by: Jens Langhammer <jens@goauthentik.io> * set invalidation flow Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix logout checks Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2026-05-03 21:02:04 +02:00 · 2024-10-16 18:01:59 +02:00
parent c4caef4c38
commit 89f251d559
24 changed files with 678 additions and 302 deletions
--- a/tests/e2e/proxy_forward_auth/envoy_single/envoy.yaml
+++ b/tests/e2e/proxy_forward_auth/envoy_single/envoy.yaml
@@ -0,0 +1,99 @@
+# yaml-language-server: $schema=https://github.com/jcchavezs/envoy-config-schema/releases/download/v1.21.0/v3_Bootstrap.json
+static_resources:
+  listeners:
+    - name: main_listener
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 10000
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                upgrade_configs:
+                  - upgrade_type: websocket
+                access_log:
+                  - name: envoy.access_loggers.stdout
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
+                http_filters:
+                  - name: envoy.filters.http.ext_authz
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                      transport_api_version: V3
+                      http_service:
+                        path_prefix: /outpost.goauthentik.io/auth/envoy
+                        server_uri:
+                          uri: http://ak-test-outpost:9000
+                          cluster: authentik_outpost
+                          timeout: 0.25s
+                        authorization_request:
+                          allowed_headers:
+                            patterns:
+                              - exact: "cookie"
+                                ignore_case: true
+                        authorization_response:
+                          allowed_upstream_headers:
+                            patterns:
+                              - exact: "set-cookie"
+                                ignore_case: true
+                              - prefix: "x-authentik-"
+                                ignore_case: true
+                          allowed_client_headers_on_success:
+                            patterns:
+                              - exact: "cookie"
+                                ignore_case: true
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: local_service
+                      domains: ["localhost"]
+                      routes:
+                        - match:
+                            prefix: "/outpost.goauthentik.io"
+                          route:
+                            cluster: authentik_outpost
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: whoami
+                    - name: local_service
+                      domains: ["*"]
+                      typed_per_filter_config:
+                        envoy.filters.http.ext_authz:
+                          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
+                          disabled: true
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: authentik_outpost
+
+  clusters:
+    - name: authentik_outpost
+      type: LOGICAL_DNS
+      load_assignment:
+        cluster_name: authentik_outpost
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: ak-test-outpost
+                      port_value: 9000
+    - name: whoami
+      type: LOGICAL_DNS
+      load_assignment:
+        cluster_name: whoami
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: ak-whoami
+                      port_value: 80