Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.
This commit is contained in:
Nikholas Pcenicni
@@ -0,0 +1,16 @@
|
||||
# Traefik ForwardAuth → oauth2-proxy (OIDC with Authentik). Reference from Ingress:
|
||||
# traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: forward-auth
|
||||
namespace: oauth2-proxy
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://oauth2-proxy.oauth2-proxy.svc.cluster.local:4180/oauth2/auth
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-Forwarded-User
|
||||
- X-Forwarded-Email
|
||||
- X-Forwarded-Preferred-Username
|
||||
- X-Forwarded-Groups
|
||||
4
clusters/noble/bootstrap/oauth2-proxy/namespace.yaml
Normal file
4
clusters/noble/bootstrap/oauth2-proxy/namespace.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: oauth2-proxy
|
||||
47
clusters/noble/bootstrap/oauth2-proxy/values.yaml
Normal file
47
clusters/noble/bootstrap/oauth2-proxy/values.yaml
Normal file
@@ -0,0 +1,47 @@
|
||||
# oauth2-proxy — OIDC client to **Authentik** (not BasicAuth). Used with Traefik ForwardAuth
|
||||
# so apps without native OIDC (Prometheus, Alertmanager, Longhorn UI) still get a full OAuth code flow.
|
||||
#
|
||||
# Client id/secret/cookie-secret are created by Ansible (Kubernetes Secret + Helm values).
|
||||
#
|
||||
# helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests && helm repo update
|
||||
# kubectl apply -f clusters/noble/bootstrap/oauth2-proxy/namespace.yaml
|
||||
# helm upgrade --install oauth2-proxy oauth2-proxy/oauth2-proxy -n oauth2-proxy \
|
||||
# --version 10.4.3 -f clusters/noble/bootstrap/oauth2-proxy/values.yaml -f /path/to/extra.yaml --wait
|
||||
|
||||
config:
|
||||
# Populated by Ansible: Secret **oauth2-proxy-credentials** (keys client-id, client-secret, cookie-secret).
|
||||
existingSecret: oauth2-proxy-credentials
|
||||
clientID: oauth2-proxy
|
||||
clientSecret: ""
|
||||
cookieSecret: ""
|
||||
cookieName: _oauth2_proxy
|
||||
emailDomains: ["*"]
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
className: traefik
|
||||
path: /
|
||||
hosts:
|
||||
- oauth2.apps.noble.lab.pcenicni.dev
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
tls:
|
||||
- secretName: oauth2-apps-noble-tls
|
||||
hosts:
|
||||
- oauth2.apps.noble.lab.pcenicni.dev
|
||||
|
||||
extraArgs:
|
||||
provider: oidc
|
||||
skip-provider-button: "true"
|
||||
oidc-issuer-url: "https://auth.apps.noble.lab.pcenicni.dev/application/o/oauth2-proxy/"
|
||||
redirect-url: "https://oauth2.apps.noble.lab.pcenicni.dev/oauth2/callback"
|
||||
scope: "openid profile email groups"
|
||||
cookie-domain: ".apps.noble.lab.pcenicni.dev"
|
||||
whitelist-domain: ".apps.noble.lab.pcenicni.dev"
|
||||
set-authorization-header: "true"
|
||||
pass-access-token: "false"
|
||||
reverse-proxy: "true"
|
||||
upstream: static://200
|
||||
|
||||
service:
|
||||
portNumber: 4180
|
||||
Reference in New Issue
Block a user