Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.

2026-05-14 00:23:48 -04:00
parent 2bf7277917
commit 78b524a044
25 changed files with 1125 additions and 7 deletions
--- a/clusters/noble/bootstrap/oauth2-proxy/values.yaml
+++ b/clusters/noble/bootstrap/oauth2-proxy/values.yaml
@@ -0,0 +1,47 @@
+# oauth2-proxy — OIDC client to **Authentik** (not BasicAuth). Used with Traefik ForwardAuth
+# so apps without native OIDC (Prometheus, Alertmanager, Longhorn UI) still get a full OAuth code flow.
+#
+# Client id/secret/cookie-secret are created by Ansible (Kubernetes Secret + Helm values).
+#
+# helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests && helm repo update
+# kubectl apply -f clusters/noble/bootstrap/oauth2-proxy/namespace.yaml
+# helm upgrade --install oauth2-proxy oauth2-proxy/oauth2-proxy -n oauth2-proxy \
+#   --version 10.4.3 -f clusters/noble/bootstrap/oauth2-proxy/values.yaml -f /path/to/extra.yaml --wait
+
+config:
+  # Populated by Ansible: Secret **oauth2-proxy-credentials** (keys client-id, client-secret, cookie-secret).
+  existingSecret: oauth2-proxy-credentials
+  clientID: oauth2-proxy
+  clientSecret: ""
+  cookieSecret: ""
+  cookieName: _oauth2_proxy
+  emailDomains: ["*"]
+
+ingress:
+  enabled: true
+  className: traefik
+  path: /
+  hosts:
+    - oauth2.apps.noble.lab.pcenicni.dev
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  tls:
+    - secretName: oauth2-apps-noble-tls
+      hosts:
+        - oauth2.apps.noble.lab.pcenicni.dev
+
+extraArgs:
+  provider: oidc
+  skip-provider-button: "true"
+  oidc-issuer-url: "https://auth.apps.noble.lab.pcenicni.dev/application/o/oauth2-proxy/"
+  redirect-url: "https://oauth2.apps.noble.lab.pcenicni.dev/oauth2/callback"
+  scope: "openid profile email groups"
+  cookie-domain: ".apps.noble.lab.pcenicni.dev"
+  whitelist-domain: ".apps.noble.lab.pcenicni.dev"
+  set-authorization-header: "true"
+  pass-access-token: "false"
+  reverse-proxy: "true"
+  upstream: static://200
+
+service:
+  portNumber: 4180