outposts: make AUTHENTIK_HOST_BROWSER configurable from central config
closes #1471 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
05db9e5c40
commit
b248f450dd
|
@ -38,6 +38,7 @@ class DockerController(BaseController):
|
||||||
"AUTHENTIK_HOST": self.outpost.config.authentik_host.lower(),
|
"AUTHENTIK_HOST": self.outpost.config.authentik_host.lower(),
|
||||||
"AUTHENTIK_INSECURE": str(self.outpost.config.authentik_host_insecure).lower(),
|
"AUTHENTIK_INSECURE": str(self.outpost.config.authentik_host_insecure).lower(),
|
||||||
"AUTHENTIK_TOKEN": self.outpost.token.key,
|
"AUTHENTIK_TOKEN": self.outpost.token.key,
|
||||||
|
"AUTHENTIK_HOST_BROWSER": self.outpost.config.authentik_host_browser,
|
||||||
}
|
}
|
||||||
|
|
||||||
def _comp_env(self, container: Container) -> bool:
|
def _comp_env(self, container: Container) -> bool:
|
||||||
|
@ -215,6 +216,7 @@ class DockerController(BaseController):
|
||||||
"AUTHENTIK_HOST": self.outpost.config.authentik_host,
|
"AUTHENTIK_HOST": self.outpost.config.authentik_host,
|
||||||
"AUTHENTIK_INSECURE": str(self.outpost.config.authentik_host_insecure),
|
"AUTHENTIK_INSECURE": str(self.outpost.config.authentik_host_insecure),
|
||||||
"AUTHENTIK_TOKEN": self.outpost.token.key,
|
"AUTHENTIK_TOKEN": self.outpost.token.key,
|
||||||
|
"AUTHENTIK_HOST_BROWSER": self.outpost.config.authentik_host_browser,
|
||||||
},
|
},
|
||||||
"labels": self._get_labels(),
|
"labels": self._get_labels(),
|
||||||
}
|
}
|
||||||
|
|
|
@ -89,6 +89,15 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
|
||||||
)
|
)
|
||||||
),
|
),
|
||||||
),
|
),
|
||||||
|
V1EnvVar(
|
||||||
|
name="AUTHENTIK_HOST_BROWSER",
|
||||||
|
value_from=V1EnvVarSource(
|
||||||
|
secret_key_ref=V1SecretKeySelector(
|
||||||
|
name=self.name,
|
||||||
|
key="authentik_host_browser",
|
||||||
|
)
|
||||||
|
),
|
||||||
|
),
|
||||||
V1EnvVar(
|
V1EnvVar(
|
||||||
name="AUTHENTIK_TOKEN",
|
name="AUTHENTIK_TOKEN",
|
||||||
value_from=V1EnvVarSource(
|
value_from=V1EnvVarSource(
|
||||||
|
|
|
@ -26,7 +26,7 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
|
||||||
def reconcile(self, current: V1Secret, reference: V1Secret):
|
def reconcile(self, current: V1Secret, reference: V1Secret):
|
||||||
super().reconcile(current, reference)
|
super().reconcile(current, reference)
|
||||||
for key in reference.data.keys():
|
for key in reference.data.keys():
|
||||||
if current.data[key] != reference.data[key]:
|
if key not in current.data or current.data[key] != reference.data[key]:
|
||||||
raise NeedsUpdate()
|
raise NeedsUpdate()
|
||||||
|
|
||||||
def get_reference_object(self) -> V1Secret:
|
def get_reference_object(self) -> V1Secret:
|
||||||
|
@ -40,6 +40,9 @@ class SecretReconciler(KubernetesObjectReconciler[V1Secret]):
|
||||||
str(self.controller.outpost.config.authentik_host_insecure)
|
str(self.controller.outpost.config.authentik_host_insecure)
|
||||||
),
|
),
|
||||||
"token": b64string(self.controller.outpost.token.key),
|
"token": b64string(self.controller.outpost.token.key),
|
||||||
|
"authentik_host_browser": b64string(
|
||||||
|
self.controller.outpost.config.authentik_host_browser
|
||||||
|
),
|
||||||
},
|
},
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -64,6 +64,7 @@ class OutpostConfig:
|
||||||
|
|
||||||
authentik_host: str = ""
|
authentik_host: str = ""
|
||||||
authentik_host_insecure: bool = False
|
authentik_host_insecure: bool = False
|
||||||
|
authentik_host_browser: str = ""
|
||||||
|
|
||||||
log_level: str = CONFIG.y("log_level")
|
log_level: str = CONFIG.y("log_level")
|
||||||
error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled")
|
error_reporting_enabled: bool = CONFIG.y_bool("error_reporting.enabled")
|
||||||
|
|
|
@ -18,7 +18,7 @@ type OIDCEndpoint struct {
|
||||||
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint {
|
func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint {
|
||||||
authUrl := p.OidcConfiguration.AuthorizationEndpoint
|
authUrl := p.OidcConfiguration.AuthorizationEndpoint
|
||||||
endUrl := p.OidcConfiguration.EndSessionEndpoint
|
endUrl := p.OidcConfiguration.EndSessionEndpoint
|
||||||
if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found {
|
if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
|
||||||
host := os.Getenv("AUTHENTIK_HOST")
|
host := os.Getenv("AUTHENTIK_HOST")
|
||||||
authUrl = strings.ReplaceAll(authUrl, host, browserHost)
|
authUrl = strings.ReplaceAll(authUrl, host, browserHost)
|
||||||
endUrl = strings.ReplaceAll(endUrl, host, browserHost)
|
endUrl = strings.ReplaceAll(endUrl, host, browserHost)
|
||||||
|
|
|
@ -37,6 +37,8 @@ error_reporting_environment: beryjuorg-prod
|
||||||
authentik_host: https://authentik.tld/
|
authentik_host: https://authentik.tld/
|
||||||
# Disable SSL Validation for the authentik connection
|
# Disable SSL Validation for the authentik connection
|
||||||
authentik_host_insecure: false
|
authentik_host_insecure: false
|
||||||
|
# Optionally specify a different URL used for user-facing interactions
|
||||||
|
authentik_host_browser:
|
||||||
# Template used for objects created (deployments, services, secrets, etc)
|
# Template used for objects created (deployments, services, secrets, etc)
|
||||||
object_naming_template: ak-outpost-%(name)s
|
object_naming_template: ak-outpost-%(name)s
|
||||||
########################################
|
########################################
|
||||||
|
|
Reference in a new issue