Implement S3 media storage for Authentik by adding configuration options for dedicated S3 bucket and credentials. Update README and default values to clarify usage and requirements for S3 integration, ensuring compatibility with Velero settings. Enhance Ansible tasks to load S3 configurations from the environment.
This commit is contained in:
Nikholas Pcenicni
@@ -215,3 +215,137 @@
|
||||
- noble_authentik_cs_cookie_from_env is defined
|
||||
- (noble_authentik_cs_cookie_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
# --- S3 media (reuse Velero endpoint + AWS keys from .env unless Authentik-specific vars are set) ---
|
||||
- name: Load NOBLE_AUTHENTIK_MEDIA_S3_BUCKET from .env when unset
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_AUTHENTIK_MEDIA_S3_BUCKET:-}"
|
||||
register: noble_authentik_media_s3_bucket_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_media_s3_bucket | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_AUTHENTIK_MEDIA_S3_BUCKET from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_media_s3_bucket: "{{ noble_authentik_media_s3_bucket_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_media_s3_bucket_from_env is defined
|
||||
- (noble_authentik_media_s3_bucket_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Resolve Authentik S3 endpoint from .env (Authentik-specific URL or Velero S3 URL)
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
if [ -n "${NOBLE_AUTHENTIK_S3_URL:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_URL}"
|
||||
elif [ -n "${NOBLE_VELERO_S3_URL:-}" ]; then printf '%s' "${NOBLE_VELERO_S3_URL}"
|
||||
else printf ''
|
||||
fi
|
||||
register: noble_authentik_s3_endpoint_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_s3_endpoint | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply resolved Authentik S3 endpoint from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_endpoint: "{{ noble_authentik_s3_endpoint_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_endpoint_from_env is defined
|
||||
- (noble_authentik_s3_endpoint_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Resolve Authentik S3 access key from .env (override or Velero AWS key)
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
if [ -n "${NOBLE_AUTHENTIK_S3_ACCESS_KEY:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_ACCESS_KEY}"
|
||||
elif [ -n "${NOBLE_VELERO_AWS_ACCESS_KEY_ID:-}" ]; then printf '%s' "${NOBLE_VELERO_AWS_ACCESS_KEY_ID}"
|
||||
else printf ''
|
||||
fi
|
||||
register: noble_authentik_s3_access_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_s3_access_key | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply resolved Authentik S3 access key from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_access_key: "{{ noble_authentik_s3_access_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_access_from_env is defined
|
||||
- (noble_authentik_s3_access_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Resolve Authentik S3 secret key from .env (override or Velero AWS secret)
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
if [ -n "${NOBLE_AUTHENTIK_S3_SECRET_KEY:-}" ]; then printf '%s' "${NOBLE_AUTHENTIK_S3_SECRET_KEY}"
|
||||
elif [ -n "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY:-}" ]; then printf '%s' "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY}"
|
||||
else printf ''
|
||||
fi
|
||||
register: noble_authentik_s3_secret_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
- noble_authentik_s3_secret_key | default('') | length == 0
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply resolved Authentik S3 secret key from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_secret_key: "{{ noble_authentik_s3_secret_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_secret_from_env is defined
|
||||
- (noble_authentik_s3_secret_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_AUTHENTIK_S3_REGION from .env when set
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_AUTHENTIK_S3_REGION:-}"
|
||||
register: noble_authentik_s3_region_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_AUTHENTIK_S3_REGION from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_region: "{{ noble_authentik_s3_region_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_region_from_env is defined
|
||||
- (noble_authentik_s3_region_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
- name: Load NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE from .env when set
|
||||
ansible.builtin.shell: |
|
||||
set -a
|
||||
. "{{ noble_repo_root }}/.env"
|
||||
set +a
|
||||
printf '%s' "${NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE:-}"
|
||||
register: noble_authentik_s3_addr_from_env
|
||||
when:
|
||||
- noble_authentik_dotenv_stat.stat.exists | default(false)
|
||||
changed_when: false
|
||||
no_log: true
|
||||
|
||||
- name: Apply NOBLE_AUTHENTIK_S3_ADDRESSING_STYLE from .env
|
||||
ansible.builtin.set_fact:
|
||||
noble_authentik_s3_addressing_style: "{{ noble_authentik_s3_addr_from_env.stdout | trim }}"
|
||||
when:
|
||||
- noble_authentik_s3_addr_from_env is defined
|
||||
- (noble_authentik_s3_addr_from_env.stdout | default('') | trim | length) > 0
|
||||
no_log: true
|
||||
|
||||
@@ -26,6 +26,19 @@
|
||||
fail_msg: >-
|
||||
Authentik requires secrets in .env (see ansible/roles/noble_authentik/README.md) or matching -e extra-vars.
|
||||
|
||||
- name: Require Authentik S3 media settings (same endpoint/keys as Velero; dedicated bucket)
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- noble_authentik_media_s3_bucket | default('') | length > 0
|
||||
- noble_authentik_s3_endpoint | default('') | length > 0
|
||||
- noble_authentik_s3_access_key | default('') | length > 0
|
||||
- noble_authentik_s3_secret_key | default('') | length > 0
|
||||
fail_msg: >-
|
||||
Set NOBLE_AUTHENTIK_MEDIA_S3_BUCKET (dedicated bucket for media, not the Velero backup bucket).
|
||||
For S3 URL and keys, set NOBLE_AUTHENTIK_S3_URL / NOBLE_AUTHENTIK_S3_ACCESS_KEY / NOBLE_AUTHENTIK_S3_SECRET_KEY,
|
||||
or reuse Velero's NOBLE_VELERO_S3_URL and NOBLE_VELERO_AWS_ACCESS_KEY_ID / NOBLE_VELERO_AWS_SECRET_ACCESS_KEY
|
||||
in .env (see .env.sample and clusters/noble/bootstrap/velero/README.md).
|
||||
|
||||
- name: Ensure Ansible temp dir for rendered Helm values
|
||||
ansible.builtin.file:
|
||||
path: "{{ noble_repo_root }}/ansible/.ansible-tmp"
|
||||
|
||||
Reference in New Issue
Block a user