gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
78b524a044aedea9ccfb4bca59ba1b09b7396a81
home-server/ansible/roles/noble_authentik/tasks/main.yml

303 lines
11 KiB
YAML
Raw Blame History

---
- name: Authentik disabled (set noble_authentik_install=true and .env — see role README)
ansible.builtin.debug:
msg: "Skipping noble_authentik (noble_authentik_install is false)."
when: not (noble_authentik_install | default(false) | bool)
- name: Authentik + OIDC stack
when: noble_authentik_install | default(false) | bool
block:
- name: Include Authentik secrets from .env
ansible.builtin.include_tasks: from_env.yml
- name: Require Authentik secrets and bootstrap settings
ansible.builtin.assert:
that:
- noble_authentik_secret_key | default('') | length > 0
- noble_authentik_postgresql_password | default('') | length > 0
- noble_authentik_bootstrap_token | default('') | length > 0
- noble_authentik_bootstrap_email | default('') | length > 0
- noble_authentik_bootstrap_password | default('') | length > 0
- noble_authentik_client_secret_argocd | default('') | length > 0
- noble_authentik_client_secret_grafana | default('') | length > 0
- noble_authentik_client_secret_headlamp | default('') | length > 0
- noble_authentik_client_secret_oauth2_proxy | default('') | length > 0
- noble_authentik_oauth2_proxy_cookie_secret | default('') | length > 0
fail_msg: >-
Authentik requires secrets in .env (see ansible/roles/noble_authentik/README.md) or matching -e extra-vars.
- name: Ensure Ansible temp dir for rendered Helm values
ansible.builtin.file:
path: "{{ noble_repo_root }}/ansible/.ansible-tmp"
state: directory
mode: "0700"
- name: Render Authentik Helm extra values (secrets)
ansible.builtin.template:
src: authentik-extra-values.yaml.j2
dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-extra-values.yaml"
mode: "0600"
no_log: true
- name: Apply Authentik and oauth2-proxy namespaces
ansible.builtin.command:
argv:
- kubectl
- apply
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/authentik/namespace.yaml"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/oauth2-proxy/namespace.yaml"
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: true
- name: Install Authentik (Helm)
ansible.builtin.command:
argv:
- helm
- upgrade
- --install
- authentik
- goauthentik/authentik
- --namespace
- authentik
- --version
- "{{ noble_authentik_chart_version }}"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/authentik/values.yaml"
- -f
- "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-extra-values.yaml"
- --force-conflicts
- --wait
- --timeout
- "{{ noble_authentik_helm_wait_timeout }}"
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: true
- name: Wait for authentik server rollout
ansible.builtin.command:
argv:
- kubectl
- rollout
- status
- deployment/authentik-server
- -n
- authentik
- --timeout=15m
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: false
- name: Render Authentik API client descriptor (JSON)
ansible.builtin.template:
src: authentik-clients.json.j2
dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-clients.json"
mode: "0600"
no_log: true
- name: Configure Authentik OAuth2/OIDC providers (API)
ansible.builtin.command:
argv:
- python3
- "{{ role_path }}/files/configure_authentik.py"
environment:
AUTHENTIK_API_BASE: "{{ noble_authentik_api_base }}"
AUTHENTIK_TOKEN: "{{ noble_authentik_bootstrap_token }}"
BOOTSTRAP_EMAIL: "{{ noble_authentik_bootstrap_email }}"
CLIENT_JSON: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-clients.json"
when: noble_authentik_configure_idp | default(true) | bool
changed_when: true
no_log: true
- name: Create argocd namespace Secret for OIDC client (Argo CD $authentik-oidc:clientSecret)
ansible.builtin.shell: |
set -euo pipefail
kubectl -n argocd create secret generic authentik-oidc \
--from-literal=clientSecret="${ARGOCD_OIDC_SECRET}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl -n argocd label secret authentik-oidc app.kubernetes.io/part-of=argocd --overwrite
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
ARGOCD_OIDC_SECRET: "{{ noble_authentik_client_secret_argocd }}"
no_log: true
changed_when: true
- name: Create Grafana OIDC client secret (GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET)
ansible.builtin.shell: |
set -euo pipefail
kubectl -n monitoring create secret generic authentik-grafana-oauth \
--from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${GRAFANA_OIDC_SECRET}" \
--dry-run=client -o yaml | kubectl apply -f -
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
GRAFANA_OIDC_SECRET: "{{ noble_authentik_client_secret_grafana }}"
no_log: true
changed_when: true
- name: Create Headlamp OIDC env secret (OIDC_* env vars)
ansible.builtin.shell: |
set -euo pipefail
kubectl -n headlamp create secret generic headlamp-oidc \
--from-literal=OIDC_CLIENT_ID="{{ noble_authentik_client_id_headlamp }}" \
--from-literal=OIDC_CLIENT_SECRET="${HEADLAMP_OIDC_SECRET}" \
--from-literal=OIDC_ISSUER_URL="{{ noble_authentik_public_url }}/application/o/headlamp/" \
--from-literal=OIDC_SCOPES="openid profile email groups offline_access" \
--from-literal=OIDC_CALLBACK_URL="https://headlamp.apps.noble.lab.pcenicni.dev/oidc-callback" \
--from-literal=OIDC_USE_PKCE="true" \
--dry-run=client -o yaml | kubectl apply -f -
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
HEADLAMP_OIDC_SECRET: "{{ noble_authentik_client_secret_headlamp }}"
no_log: true
changed_when: true
- name: Create oauth2-proxy credentials Secret (OIDC to Authentik; not BasicAuth)
ansible.builtin.shell: |
set -euo pipefail
kubectl -n oauth2-proxy create secret generic oauth2-proxy-credentials \
--from-literal=client-id="{{ noble_authentik_client_id_oauth2_proxy }}" \
--from-literal=client-secret="${O2_CLIENT_SECRET}" \
--from-literal=cookie-secret="${O2_COOKIE_SECRET}" \
--dry-run=client -o yaml | kubectl apply -f -
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
O2_CLIENT_SECRET: "{{ noble_authentik_client_secret_oauth2_proxy }}"
O2_COOKIE_SECRET: "{{ noble_authentik_oauth2_proxy_cookie_secret }}"
no_log: true
changed_when: true
- name: Install oauth2-proxy (Helm) — OIDC provider Authentik
ansible.builtin.command:
argv:
- helm
- upgrade
- --install
- oauth2-proxy
- oauth2-proxy/oauth2-proxy
- --namespace
- oauth2-proxy
- --version
- "{{ noble_authentik_oauth2_proxy_chart_version }}"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/oauth2-proxy/values.yaml"
- --force-conflicts
- --wait
- --timeout
- 10m
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: true
- name: Apply Traefik ForwardAuth Middleware (references oauth2-proxy OIDC session)
ansible.builtin.command:
argv:
- kubectl
- apply
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/oauth2-proxy/middleware-forwardauth.yaml"
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: true
- name: Helm upgrade Argo CD with Authentik OIDC values
ansible.builtin.command:
argv:
- helm
- upgrade
- --install
- argocd
- argo/argo-cd
- --namespace
- argocd
- --version
- "{{ noble_authentik_argocd_chart_version }}"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/values.yaml"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/values-authentik-oidc.yaml"
- --force-conflicts
- --wait
- --timeout
- 15m
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: true
- name: Helm upgrade kube-prometheus-stack (Grafana OIDC + ForwardAuth on Prom/AM)
ansible.builtin.command:
argv:
- helm
- upgrade
- --install
- kube-prometheus
- prometheus-community/kube-prometheus-stack
- -n
- monitoring
- --version
- "{{ noble_authentik_kube_prometheus_chart_version }}"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/kube-prometheus-stack/values.yaml"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml"
- --force-conflicts
- --wait
- --timeout
- "{{ noble_authentik_kube_prometheus_helm_wait_timeout }}"
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: true
- name: Helm upgrade Headlamp with Authentik OIDC values
ansible.builtin.command:
argv:
- helm
- upgrade
- --install
- headlamp
- headlamp/headlamp
- --version
- "{{ noble_authentik_headlamp_chart_version }}"
- -n
- headlamp
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/headlamp/values.yaml"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/headlamp/values-authentik-oidc.yaml"
- --force-conflicts
- --wait
- --timeout
- 10m
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
changed_when: true
- name: Helm upgrade Longhorn with ForwardAuth (oauth2-proxy OIDC)
ansible.builtin.command:
argv:
- helm
- upgrade
- --install
- longhorn
- longhorn/longhorn
- -n
- longhorn-system
- --version
- "{{ noble_authentik_longhorn_chart_version }}"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/longhorn/values.yaml"
- -f
- "{{ noble_repo_root }}/clusters/noble/bootstrap/longhorn/values-authentik-forwardauth.yaml"
- --force-conflicts
- --wait
- --timeout
- "{{ noble_helm_longhorn_wait_timeout | default('20m') }}"
environment:
KUBECONFIG: "{{ noble_kubeconfig }}"
register: noble_authentik_longhorn_helm
retries: "{{ noble_helm_longhorn_retries | default(8) | int }}"
delay: "{{ noble_helm_longhorn_retry_delay | default(25) | int }}"
until: noble_authentik_longhorn_helm.rc == 0
changed_when: true
Reference in New Issue View Git Blame Copy Permalink