outposts/kubernetes: ingress class (#4002)
* add support for ingressClassName Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * add option to disable ssl verification for k8s controller Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * update website Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
d2bbcc0e1e
commit
ffe6f65af5
|
@ -143,7 +143,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
|
|||
class Meta:
|
||||
|
||||
model = KubernetesServiceConnection
|
||||
fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig"]
|
||||
fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig", "verify_ssl"]
|
||||
|
||||
|
||||
class KubernetesServiceConnectionViewSet(UsedByMixin, ModelViewSet):
|
||||
|
|
|
@ -36,6 +36,7 @@ class KubernetesClient(ApiClient, BaseClient):
|
|||
load_incluster_config(client_configuration=config)
|
||||
else:
|
||||
load_kube_config_from_dict(connection.kubeconfig, client_configuration=config)
|
||||
config.verify_ssl = connection.verify_ssl
|
||||
super().__init__(config)
|
||||
except ConfigException as exc:
|
||||
raise ServiceConnectionInvalid(exc) from exc
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
# Generated by Django 4.1.3 on 2022-11-14 12:56
|
||||
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
("authentik_outposts", "0001_squashed_0017_outpost_managed"),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AddField(
|
||||
model_name="kubernetesserviceconnection",
|
||||
name="verify_ssl",
|
||||
field=models.BooleanField(
|
||||
default=True, help_text="Verify SSL Certificates of the Kubernetes API endpoint"
|
||||
),
|
||||
),
|
||||
]
|
|
@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
|
|||
class OutpostConfig:
|
||||
"""Configuration an outpost uses to configure it self"""
|
||||
|
||||
# update website/docs/outposts/outposts.md
|
||||
# update website/docs/outposts/_config.md
|
||||
|
||||
authentik_host: str = ""
|
||||
authentik_host_insecure: bool = False
|
||||
|
@ -62,16 +62,17 @@ class OutpostConfig:
|
|||
log_level: str = CONFIG.y("log_level")
|
||||
object_naming_template: str = field(default="ak-outpost-%(name)s")
|
||||
|
||||
container_image: Optional[str] = field(default=None)
|
||||
|
||||
docker_network: Optional[str] = field(default=None)
|
||||
docker_map_ports: bool = field(default=True)
|
||||
docker_labels: Optional[dict[str, str]] = field(default=None)
|
||||
|
||||
container_image: Optional[str] = field(default=None)
|
||||
|
||||
kubernetes_replicas: int = field(default=1)
|
||||
kubernetes_namespace: str = field(default_factory=get_namespace)
|
||||
kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
|
||||
kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
|
||||
kubernetes_ingress_class_name: Optional[str] = field(default=None)
|
||||
kubernetes_service_type: str = field(default="ClusterIP")
|
||||
kubernetes_disabled_components: list[str] = field(default_factory=list)
|
||||
kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
|
||||
|
@ -224,6 +225,9 @@ class KubernetesServiceConnection(SerializerModel, OutpostServiceConnection):
|
|||
),
|
||||
blank=True,
|
||||
)
|
||||
verify_ssl = models.BooleanField(
|
||||
default=True, help_text=_("Verify SSL Certificates of the Kubernetes API endpoint")
|
||||
)
|
||||
|
||||
@property
|
||||
def serializer(self) -> Serializer:
|
||||
|
|
|
@ -159,9 +159,15 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
|
|||
hosts=tls_hosts,
|
||||
secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
|
||||
)
|
||||
spec = V1IngressSpec(
|
||||
rules=rules,
|
||||
tls=[tls_config],
|
||||
)
|
||||
if self.controller.outpost.config.kubernetes_ingress_class_name:
|
||||
spec.ingress_class_name = self.controller.outpost.config.kubernetes_ingress_class_name
|
||||
return V1Ingress(
|
||||
metadata=meta,
|
||||
spec=V1IngressSpec(rules=rules, tls=[tls_config]),
|
||||
spec=spec,
|
||||
)
|
||||
|
||||
def create(self, reference: V1Ingress):
|
||||
|
|
|
@ -28488,6 +28488,9 @@ components:
|
|||
additionalProperties: {}
|
||||
description: Paste your kubeconfig here. authentik will automatically use
|
||||
the currently selected context.
|
||||
verify_ssl:
|
||||
type: boolean
|
||||
description: Verify SSL Certificates of the Kubernetes API endpoint
|
||||
required:
|
||||
- component
|
||||
- meta_model_name
|
||||
|
@ -28511,6 +28514,9 @@ components:
|
|||
additionalProperties: {}
|
||||
description: Paste your kubeconfig here. authentik will automatically use
|
||||
the currently selected context.
|
||||
verify_ssl:
|
||||
type: boolean
|
||||
description: Verify SSL Certificates of the Kubernetes API endpoint
|
||||
required:
|
||||
- name
|
||||
LDAPAPIAccessMode:
|
||||
|
@ -33714,6 +33720,9 @@ components:
|
|||
additionalProperties: {}
|
||||
description: Paste your kubeconfig here. authentik will automatically use
|
||||
the currently selected context.
|
||||
verify_ssl:
|
||||
type: boolean
|
||||
description: Verify SSL Certificates of the Kubernetes API endpoint
|
||||
PatchedLDAPPropertyMappingRequest:
|
||||
type: object
|
||||
description: LDAP PropertyMapping Serializer
|
||||
|
|
|
@ -78,6 +78,18 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
|
|||
${t`Set custom attributes using YAML or JSON.`}
|
||||
</p>
|
||||
</ak-form-element-horizontal>
|
||||
<ak-form-element-horizontal name="verifySsl">
|
||||
<div class="pf-c-check">
|
||||
<input
|
||||
type="checkbox"
|
||||
class="pf-c-check__input"
|
||||
?checked=${first(this.instance?.verifySsl, true)}
|
||||
/>
|
||||
<label class="pf-c-check__label">
|
||||
${t`Verify Kubernetes API SSL Certificate`}
|
||||
</label>
|
||||
</div>
|
||||
</ak-form-element-horizontal>
|
||||
</form>`;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -59,4 +59,9 @@ kubernetes_disabled_components: []
|
|||
# NOTE: The secret must be created manually in the namespace first.
|
||||
# Applies to: non-embedded
|
||||
kubernetes_image_pull_secrets: []
|
||||
# Optionally configure an ingress class name. If not set, the ingress will use the cluster's
|
||||
# default ingress class
|
||||
# (Available with 2022.11.0+)
|
||||
# Applies to: proxy outposts
|
||||
kubernetes_ingress_class_name: null
|
||||
```
|
||||
|
|
|
@ -23,6 +23,7 @@ The following outpost settings are used:
|
|||
- `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
|
||||
- `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
|
||||
- `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections
|
||||
- `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
|
||||
- `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
|
||||
- `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
|
||||
- 'secret'
|
||||
|
|
Reference in a new issue