Implement S3 media storage for Authentik by adding configuration options for dedicated S3 bucket and credentials. Update README and default values to clarify usage and requirements for S3 integration, ensuring compatibility with Velero settings. Enhance Ansible tasks to load S3 configurations from the environment.
This commit is contained in:
Nikholas Pcenicni
@@ -14,6 +14,10 @@ Installs **Authentik** (Helm `goauthentik/authentik`) as the cluster IdP, **oaut
|
||||
|
||||
See **`defaults/main.yml`**. Hostnames default to **`auth.apps.noble.lab.pcenicni.dev`** and **`oauth2.apps.noble.lab.pcenicni.dev`**. **`noble_authentik_ensure_admin_ui_access`** (default **true**) re-applies **authentik Admins** superuser membership via the worker on each **`--tags authentik`** run so the admin UI keeps working under **2026+** RBAC.
|
||||
|
||||
### S3 media (avatars, flows, uploads)
|
||||
|
||||
Authentik stores file-backed data in **S3** (not a shared PVC on **`authentik-worker`**). Set **`NOBLE_AUTHENTIK_MEDIA_S3_BUCKET`** in **`.env`** to a **dedicated** bucket name (do **not** reuse the Velero backup bucket). **`NOBLE_VELERO_S3_URL`**, **`NOBLE_VELERO_AWS_ACCESS_KEY_ID`**, and **`NOBLE_VELERO_AWS_SECRET_ACCESS_KEY`** are reused automatically when the Authentik-specific S3 variables are unset; override with **`NOBLE_AUTHENTIK_S3_URL`** / **`NOBLE_AUTHENTIK_S3_ACCESS_KEY`** / **`NOBLE_AUTHENTIK_S3_SECRET_KEY`** if needed. Optional: **`NOBLE_AUTHENTIK_S3_REGION`** (defaults to **`us-east-1`** in Ansible), **`NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE`** (**`path`** vs **`virtual`** for some gateways). Create the bucket and grant the same credentials **read/write** to that bucket only. For browser uploads and public assets, follow [Authentik — S3 storage](https://docs.goauthentik.io/sys-mgmt/ops/storage-s3/) (CORS and policies). If you previously used a PVC for **`/data`**, sync into the new bucket (for example **`aws s3 sync`** from a volume snapshot or old mount) before relying on S3-only.
|
||||
|
||||
### Extra public hostname (Pangolin + Newt, same Authentik)
|
||||
|
||||
To expose the **same** Authentik instance on an **internet-facing** FQDN (while keeping the lab name on Traefik), set **`noble_authentik_ingress_extra_hosts`** in **`ansible/inventory/group_vars/all.yml`** (or **`-e`**) to a list of extra FQDNs, for example **`auth.example.com`**. Re-run **`ansible-playbook playbooks/noble.yml --tags authentik`**. Ansible extends **`server.ingress.hosts`** and **`tls[0].hosts`** so **cert-manager** issues one certificate with SANs for the primary **`noble_authentik_host`** plus those names (DNS must resolve for your issuer — often **Cloudflare** for public names, split horizon for lab).
|
||||
|
||||
@@ -28,6 +28,15 @@ noble_authentik_ingress_extra_hosts: []
|
||||
|
||||
noble_authentik_oauth2_proxy_host: oauth2.apps.noble.lab.pcenicni.dev
|
||||
|
||||
# Media: **S3** via Ansible **`global.env`** (same S3 **URL** + **access keys** as **Velero** when you omit Authentik-specific overrides).
|
||||
# Set **`NOBLE_AUTHENTIK_MEDIA_S3_BUCKET`** to a **dedicated** bucket (do not use the Velero backup bucket).
|
||||
noble_authentik_media_s3_bucket: ""
|
||||
noble_authentik_s3_endpoint: ""
|
||||
noble_authentik_s3_access_key: ""
|
||||
noble_authentik_s3_secret_key: ""
|
||||
noble_authentik_s3_region: "us-east-1"
|
||||
noble_authentik_s3_addressing_style: "path"
|
||||
|
||||
# OIDC client ids (must match Authentik providers created by configure script)
|
||||
noble_authentik_client_id_argocd: argocd
|
||||
noble_authentik_client_id_grafana: grafana
|
||||
|
||||
@@ -215,3 +215,137 @@
|
||||
- noble_authentik_cs_cookie_from_env is defined
|
||||
- (noble_authentik_cs_cookie_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
# --- S3 media (reuse Velero endpoint + AWS keys from .env unless Authentik-specific vars are set) ---
|
||||
- name: Load NOBLE_AUTHENTIK_MEDIA_S3_BUCKET from .env when unset
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_AUTHENTIK_MEDIA_S3_BUCKET:-}"
|
||||
register: noble_authentik_media_s3_bucket_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_media_s3_bucket | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_AUTHENTIK_MEDIA_S3_BUCKET from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_media_s3_bucket: "{{ noble_authentik_media_s3_bucket_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_media_s3_bucket_from_env is defined
|
||||
- (noble_authentik_media_s3_bucket_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Resolve Authentik S3 endpoint from .env (Authentik-specific URL or Velero S3 URL)
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
if [ -n "${NOBLE_AUTHENTIK_S3_URL:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_URL}"
|
||||
elif [ -n "${NOBLE_VELERO_S3_URL:-}" ]; then printf '%s' "${NOBLE_VELERO_S3_URL}"
|
||||
else printf ''
|
||||
fi
|
||||
register: noble_authentik_s3_endpoint_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_s3_endpoint | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply resolved Authentik S3 endpoint from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_endpoint: "{{ noble_authentik_s3_endpoint_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_endpoint_from_env is defined
|
||||
- (noble_authentik_s3_endpoint_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Resolve Authentik S3 access key from .env (override or Velero AWS key)
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
if [ -n "${NOBLE_AUTHENTIK_S3_ACCESS_KEY:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_ACCESS_KEY}"
|
||||
elif [ -n "${NOBLE_VELERO_AWS_ACCESS_KEY_ID:-}" ]; then printf '%s' "${NOBLE_VELERO_AWS_ACCESS_KEY_ID}"
|
||||
else printf ''
|
||||
fi
|
||||
register: noble_authentik_s3_access_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_s3_access_key | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply resolved Authentik S3 access key from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_access_key: "{{ noble_authentik_s3_access_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_access_from_env is defined
|
||||
- (noble_authentik_s3_access_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Resolve Authentik S3 secret key from .env (override or Velero AWS secret)
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
if [ -n "${NOBLE_AUTHENTIK_S3_SECRET_KEY:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_SECRET_KEY}"
|
||||
elif [ -n "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY:-}" ]; then printf '%s' "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY}"
|
||||
else printf ''
|
||||
fi
|
||||
register: noble_authentik_s3_secret_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_s3_secret_key | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply resolved Authentik S3 secret key from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_secret_key: "{{ noble_authentik_s3_secret_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_secret_from_env is defined
|
||||
- (noble_authentik_s3_secret_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_AUTHENTIK_S3_REGION from .env when set
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_AUTHENTIK_S3_REGION:-}"
|
||||
register: noble_authentik_s3_region_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_AUTHENTIK_S3_REGION from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_region: "{{ noble_authentik_s3_region_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_region_from_env is defined
|
||||
- (noble_authentik_s3_region_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE from .env when set
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE:-}"
|
||||
register: noble_authentik_s3_addr_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_addressing_style: "{{ noble_authentik_s3_addr_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_addr_from_env is defined
|
||||
- (noble_authentik_s3_addr_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
@@ -26,6 +26,19 @@
|
||||
fail_msg: >-
|
||||
Authentik requires secrets in .env (see ansible/roles/noble_authentik/README.md) or matching -e extra-vars.
|
||||
|
||||
- name: Require Authentik S3 media settings (same endpoint/keys as Velero; dedicated bucket)
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- noble_authentik_media_s3_bucket | default('') | length > 0
|
||||
- noble_authentik_s3_endpoint | default('') | length > 0
|
||||
- noble_authentik_s3_access_key | default('') | length > 0
|
||||
- noble_authentik_s3_secret_key | default('') | length > 0
|
||||
fail_msg: >-
|
||||
Set NOBLE_AUTHENTIK_MEDIA_S3_BUCKET (dedicated bucket for media, not the Velero backup bucket).
|
||||
For S3 URL and keys, set NOBLE_AUTHENTIK_S3_URL / NOBLE_AUTHENTIK_S3_ACCESS_KEY / NOBLE_AUTHENTIK_S3_SECRET_KEY,
|
||||
or reuse Velero's NOBLE_VELERO_S3_URL and NOBLE_VELERO_AWS_ACCESS_KEY_ID / NOBLE_VELERO_AWS_SECRET_ACCESS_KEY
|
||||
in .env (see .env.sample and clusters/noble/bootstrap/velero/README.md).
|
||||
|
||||
- name: Ensure Ansible temp dir for rendered Helm values
|
||||
ansible.builtin.file:
|
||||
path: "{{ noble_repo_root }}/ansible/.ansible-tmp"
|
||||
|
||||
@@ -11,6 +11,20 @@ global:
|
||||
value: "{{ noble_authentik_bootstrap_email }}"
|
||||
- name: AUTHENTIK_BOOTSTRAP_PASSWORD
|
||||
value: "{{ noble_authentik_bootstrap_password }}"
|
||||
- name: AUTHENTIK_STORAGE__BACKEND
|
||||
value: "s3"
|
||||
- name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
|
||||
value: "{{ noble_authentik_media_s3_bucket }}"
|
||||
- name: AUTHENTIK_STORAGE__S3__ENDPOINT
|
||||
value: "{{ noble_authentik_s3_endpoint }}"
|
||||
- name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
|
||||
value: "{{ noble_authentik_s3_access_key }}"
|
||||
- name: AUTHENTIK_STORAGE__S3__SECRET_KEY
|
||||
value: "{{ noble_authentik_s3_secret_key }}"
|
||||
- name: AUTHENTIK_STORAGE__S3__REGION
|
||||
value: "{{ noble_authentik_s3_region }}"
|
||||
- name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE
|
||||
value: "{{ noble_authentik_s3_addressing_style }}"
|
||||
postgresql:
|
||||
auth:
|
||||
password: "{{ noble_authentik_postgresql_password }}"
|
||||
|
||||
Reference in New Issue
Block a user