404 error for kubernetes depoyment

[gopaljayanthi]

Describe the bug
/if/flow/initial-setup/ endpoint in the browser gives a 404 not found error

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://goauthentik.io/docs/installation/kubernetes'
2. Create Values.yaml
3. run helm commands
4. all pods are up and running
5. go to browser http:///if/flow/initial-setup/

Expected behavior
Page should load letting me setup ak-admin password

Screenshots
404 not found

Logs
{"event": "/api/v3/outposts/instances/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 24, "remote": "127.0.0.1", "request_id": "454efe5b57f34713bf837681449b91a6", "runtime": 35, "scheme": "http", "status": 403, "timestamp": "2022-07-11T10:39:00.436171", "user": "", "user_agent": "goauthentik.io/outpost/2022.7.2"}
{"event": "Forbidden: /api/v3/outposts/instances/", "level": "warning", "logger": "django.request", "timestamp": 1657535940.437195}
{"error":"403 Forbidden","event":"Failed to fetch outpost configuration, retrying in 3 seconds","level":"error","logger":"authentik.outpost.ak-api-controller","timestamp":"2022-07-11T10:39:00Z"}
Version and Deployment (please complete the following information):

• authentik version: authentik-2022.7.2
• Deployment: [kubectl 1.21, helm v3.1.0]

Additional context
Add any other context about the problem here.

[ghost]

I'm getting something similar on a docker-compose deployment. Just tried to set it up earlier today and I'm getting

docker logs -f authentik

{"event": "Forbidden: /api/v3/outposts/instances/", "level": "warning", "logger": "django.request", "timestamp": 1657631480.029771}
{"error":"403 Forbidden","event":"Failed to fetch outpost configuration, retrying in 3 seconds","level":"error","logger":"authentik.outpost.ak-api-controller","timestamp":"2022-07-12T13:11:20Z"}
{"event": "/api/v3/outposts/instances/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 39, "remote": "127.0.0.1", "request_id": "75b1db68f25c4a4aa0c114405dd952b7", "runtime": 28, "scheme": "http", "status": 403, "timestamp": "2022-07-12T13:11:23.063320", "user": "", "user_agent": "goauthentik.io/outpost/2022.7.2"}
{"event": "Forbidden: /api/v3/outposts/instances/", "level": "warning", "logger": "django.request", "timestamp": 1657631483.064359}
{"error":"403 Forbidden","event":"Failed to fetch outpost configuration, retrying in 3 seconds","level":"error","logger":"authentik.outpost.ak-api-controller","timestamp":"2022-07-12T13:11:23Z"}
{"event": "/api/v3/outposts/instances/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 38, "remote": "127.0.0.1", "request_id": "335acdceb95847edab5eb7a499df52b9", "runtime": 30, "scheme": "http", "status": 403, "timestamp": "2022-07-12T13:11:26.101239", "user": "", "user_agent": "goauthentik.io/outpost/2022.7.2"}
{"event": "Forbidden: /api/v3/outposts/instances/", "level": "warning", "logger": "django.request", "timestamp": 1657631486.1027539}
{"error":"403 Forbidden","event":"Failed to fetch outpost configuration, retrying in 3 seconds","level":"error","logger":"authentik.outpost.ak-api-controller","timestamp":"2022-07-12T13:11:26Z"}

I've tried both image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2022.7.2} and image: beryju/authentik but no luck so far.

The relevant part of my docker-compose.yml

    authentik-postgresql:
      image: postgres:12-alpine
      container_name: authentik-postgresql
      restart: unless-stopped
      healthcheck:
        test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
        start_period: 20s
        interval: 30s
        retries: 5
        timeout: 5s
      volumes:
        - ./authentik/db:/var/lib/postgresql/data
      environment:
        - POSTGRES_PASSWORD=${PG_PASS:?database password required}
        - POSTGRES_USER=${PG_USER:-authentik}
        - POSTGRES_DB=${PG_DB:-authentik}
      env_file:
        - .env
        
    authentik-redis:
      image: redis:alpine
      container_name: authentik-redis
      restart: unless-stopped
      healthcheck:
        test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
        start_period: 20s
        interval: 30s
        retries: 5
        timeout: 3s

    authentik:
      image: beryju/authentik
      container_name: authentik
      restart: unless-stopped
      command: server
      environment:
        AUTHENTIK_REDIS__HOST: authentik-redis
        AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
        AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
        AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
        AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
        # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
        # WORKERS: 2
      volumes:
        - ./authentik/media:/media
        - ./authentik/custom-templates:/templates
      env_file:
        - .env
      ports:
        - 9000:9000
        - 9443:9443

    authentik-worker:
      image: beryju/authentik
      container_name: authentik-worker
      restart: unless-stopped
      command: worker
      environment:
        AUTHENTIK_REDIS__HOST: authentik-redis
        AUTHENTIK_POSTGRESQL__HOST: authentik-postgresql
        AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
        AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
        AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
        # AUTHENTIK_ERROR_REPORTING__ENABLED: "true"
      volumes:
        - ./authentik/media:/media
        - ./authentik/certs:/certs
        - ./authentik/worker/custom-templates:/templates
      env_file:
        - .env

My .env file

PG_PASS=<REDACTED>
AUTHENTIK_SECRET_KEY=<REDACTED>

# SMTP Host Emails are sent to
AUTHENTIK_EMAIL__HOST=<REDACTED>
AUTHENTIK_EMAIL__PORT=25
# Optionally authenticate (don't add quotation marks to you password)
AUTHENTIK_EMAIL__USERNAME=noreply@<REDACTED>
AUTHENTIK_EMAIL__PASSWORD=<REDACTED>
# Use StartTLS
AUTHENTIK_EMAIL__USE_TLS=false
# Use SSL
AUTHENTIK_EMAIL__USE_SSL=true
AUTHENTIK_EMAIL__TIMEOUT=10
# Email address authentik will send from, should have a correct @domain
AUTHENTIK_EMAIL__FROM=noreply@<REDACTED>

AUTHENTIK_DISABLE_UPDATE_CHECK=true
AUTHENTIK_ERROR_REPORTING__ENABLED=false
AUTHENTIK_DISABLE_STARTUP_ANALYTICS=true

My docker-compose.yml is loosely based off of this. When using 2022.6.3 the issue isn't present so it seems like this is related to #3224.

[ghost]

@gopaljayanthi for a temporary solution, I guess you could roll back to an earlier version while the devs work on the issue

[BeryJu]

the {"event": "Forbidden: /api/v3/outposts/instances/", "level": "warning", "logger": "django.request", "timestamp": 1657535940.437195} error is caused by some system tasks not having run on a fresh install, check if there's any errors in your worker container/give that a restart, and also try kubectl exec -it deployment/authentik-worker -c authentik -- ak bootstrap_tasks

[BeryJu]

@Venem are you using the file:// prefix for any of the environment variables?

[ghost]

I don't think so. The .env and docker-compose.yml files I posted are pretty much the same as the ones I'm using on the server apart from the passwords/emails that are redacted

[BeryJu]

if you're getting the above permission error after an upgrade instead of a fresh install (at least that's what I'm understanding), please open a new issue as that should not happen at all

[ghost]

I'm on a fresh install. Sorry, I should've made it clearer.

[Wheels35]

while I am on unraid and running into other issues, I recently did a fresh install to try and solve those issues and this creeped up.
I looked at the worker logs and noticed a TON of errors all of a sudden, so I did a restart on the worker, while the main app was running and the main apps log cleared up and solved the problem. I then restarted both of them just for validation, and they both came back up fine after a reboot.

[gopaljayanthi]

@BeryJu {"event": "Failed to load GeoIP database", "exc": "FileNotFoundError(2, 'No such file or directory')", "level": "warning", "logger": "authentik.events.geo", "pid": 2286, "timestamp": "2022-07-13T04:51:50.930932"} is what I am seeing when i run kubectl exec -it deployment/authentik-worker -c authentik -- ak bootstrap_tasks @Venem which version is a wstable working one the images i am using now are image: docker.io/bitnami/postgresql:11.14.0-debian-10-r28
image: docker.io/bitnami/redis:6.2.6-debian-10-r97
image: ghcr.io/goauthentik/server:2022.7.2
image: ghcr.io/goauthentik/server:2022.7.2 also after restarting the pods I am not seeing the Failed to fetch outpost configuration error, now I am seeing a new error {"error":"context canceled","event":"failed to proxy to backend","level":"warning","logger":"authentik.router","timestamp":"2022-07-13T04:49:44Z"}

[ghost]

@gopaljayanthi 2022.6.3 seems to be the latest authentik version that works. If you're still running into issues on that version then try downgrading more or (if you haven't already) delete any files that the broken installation created.

[gopaljayanthi]

Thanks @Venem now i am bale to get to the login screnn with 2022.6.2 but after putting in email and password twice , I am seeing this error Request has been denied. Unknown error

[gopaljayanthi]

Reverted back 2022.7.2 and changed ingress class to nginx, added tls part with same hostname and a secret, added certmanager issuer, now the ui is comingup.

[ghost]

I would reopen since this bug does still need to be fixed. Reverting to an older version is only a temporary fix and this needs to be sorted

[gopaljayanthi]

i did reverted older version but the problem persisted. I changed back to latest version, then fixed the ingress and the problem went away.

[PierreSnell]

Sorry to bump this issue, but I did the same thing and stumble on this issue.

Straight from a new cluster, as per the doc :

1. Helm install with docs values
2. go to initial-setup
3. 404

I'm using Traefik to route auth.mydomain.com to the authentik-server (service).

Thanks in advance for any help.

[fmichaud]

Sorry to bump this issue, but I did the same thing and stumble on this issue.

Straight from a new cluster, as per the doc :

1. Helm install with docs values
2. go to initial-setup
3. 404

I'm using Traefik to route auth.mydomain.com to the authentik-server (service).

Thanks in advance for any help.

Same problem (same logs) after migration (2023.10 -> 2024.2). Revert doesn't work.
Please reopen this issue.