outposts/kubernetes: ingress class (#4002)

* add support for ingressClassName

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add option to disable ssl verification for k8s controller

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-11-14 14:24:11 +01:00 committed by GitHub
parent d2bbcc0e1e
commit ffe6f65af5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 63 additions and 5 deletions

View file

@ -143,7 +143,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
class Meta:
model = KubernetesServiceConnection
fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig"]
fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig", "verify_ssl"]
class KubernetesServiceConnectionViewSet(UsedByMixin, ModelViewSet):

View file

@ -36,6 +36,7 @@ class KubernetesClient(ApiClient, BaseClient):
load_incluster_config(client_configuration=config)
else:
load_kube_config_from_dict(connection.kubeconfig, client_configuration=config)
config.verify_ssl = connection.verify_ssl
super().__init__(config)
except ConfigException as exc:
raise ServiceConnectionInvalid(exc) from exc

View file

@ -0,0 +1,20 @@
# Generated by Django 4.1.3 on 2022-11-14 12:56
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
("authentik_outposts", "0001_squashed_0017_outpost_managed"),
]
operations = [
migrations.AddField(
model_name="kubernetesserviceconnection",
name="verify_ssl",
field=models.BooleanField(
default=True, help_text="Verify SSL Certificates of the Kubernetes API endpoint"
),
),
]

View file

@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
class OutpostConfig:
"""Configuration an outpost uses to configure it self"""
# update website/docs/outposts/outposts.md
# update website/docs/outposts/_config.md
authentik_host: str = ""
authentik_host_insecure: bool = False
@ -62,16 +62,17 @@ class OutpostConfig:
log_level: str = CONFIG.y("log_level")
object_naming_template: str = field(default="ak-outpost-%(name)s")
container_image: Optional[str] = field(default=None)
docker_network: Optional[str] = field(default=None)
docker_map_ports: bool = field(default=True)
docker_labels: Optional[dict[str, str]] = field(default=None)
container_image: Optional[str] = field(default=None)
kubernetes_replicas: int = field(default=1)
kubernetes_namespace: str = field(default_factory=get_namespace)
kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
kubernetes_ingress_class_name: Optional[str] = field(default=None)
kubernetes_service_type: str = field(default="ClusterIP")
kubernetes_disabled_components: list[str] = field(default_factory=list)
kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
@ -224,6 +225,9 @@ class KubernetesServiceConnection(SerializerModel, OutpostServiceConnection):
),
blank=True,
)
verify_ssl = models.BooleanField(
default=True, help_text=_("Verify SSL Certificates of the Kubernetes API endpoint")
)
@property
def serializer(self) -> Serializer:

View file

@ -159,9 +159,15 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
hosts=tls_hosts,
secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
)
spec = V1IngressSpec(
rules=rules,
tls=[tls_config],
)
if self.controller.outpost.config.kubernetes_ingress_class_name:
spec.ingress_class_name = self.controller.outpost.config.kubernetes_ingress_class_name
return V1Ingress(
metadata=meta,
spec=V1IngressSpec(rules=rules, tls=[tls_config]),
spec=spec,
)
def create(self, reference: V1Ingress):

View file

@ -28488,6 +28488,9 @@ components:
additionalProperties: {}
description: Paste your kubeconfig here. authentik will automatically use
the currently selected context.
verify_ssl:
type: boolean
description: Verify SSL Certificates of the Kubernetes API endpoint
required:
- component
- meta_model_name
@ -28511,6 +28514,9 @@ components:
additionalProperties: {}
description: Paste your kubeconfig here. authentik will automatically use
the currently selected context.
verify_ssl:
type: boolean
description: Verify SSL Certificates of the Kubernetes API endpoint
required:
- name
LDAPAPIAccessMode:
@ -33714,6 +33720,9 @@ components:
additionalProperties: {}
description: Paste your kubeconfig here. authentik will automatically use
the currently selected context.
verify_ssl:
type: boolean
description: Verify SSL Certificates of the Kubernetes API endpoint
PatchedLDAPPropertyMappingRequest:
type: object
description: LDAP PropertyMapping Serializer

View file

@ -78,6 +78,18 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
${t`Set custom attributes using YAML or JSON.`}
</p>
</ak-form-element-horizontal>
<ak-form-element-horizontal name="verifySsl">
<div class="pf-c-check">
<input
type="checkbox"
class="pf-c-check__input"
?checked=${first(this.instance?.verifySsl, true)}
/>
<label class="pf-c-check__label">
${t`Verify Kubernetes API SSL Certificate`}
</label>
</div>
</ak-form-element-horizontal>
</form>`;
}
}

View file

@ -59,4 +59,9 @@ kubernetes_disabled_components: []
# NOTE: The secret must be created manually in the namespace first.
# Applies to: non-embedded
kubernetes_image_pull_secrets: []
# Optionally configure an ingress class name. If not set, the ingress will use the cluster's
# default ingress class
# (Available with 2022.11.0+)
# Applies to: proxy outposts
kubernetes_ingress_class_name: null
```

View file

@ -23,6 +23,7 @@ The following outpost settings are used:
- `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
- `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
- `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections
- `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
- `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
- `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
- 'secret'