feat(authentik): internal access via LBIP for SNI

kube/deploy/apps/authentik/app/netpol.yaml

@@ -23,6 +23,16 @@ spec:
         - matchLabels:
             io.kubernetes.pod.namespace: ingress
             app.kubernetes.io/name: ingress-nginx
+    # allow HTTPS traffic in-cluster
+    - fromEndpoints:
+        - matchLabels:
+            authentik.home.arpa/https: allow
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "9443"
   egress:
     # same namespace
     - toEndpoints:
@@ -35,13 +45,33 @@ spec:
             app.kubernetes.io/name: ingress-nginx
     # allow Duo
     - toFQDNs:
-        - matchPattern: api-*.duosecurity.com
+        - matchPattern: "api-*.duosecurity.com"
       toPorts:
         - ports:
             - port: "443"
     # allow AWS SES
     - toFQDNs:
-        - matchPattern: email-smtp.*.amazonaws.com
+        - matchPattern: "email-smtp.*.amazonaws.com"
       toPorts:
         - ports:
             - port: "587"
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: &app authentik-https-in-cluster
+spec:
+  endpointSelector:
+    matchLabels:
+      authentik.home.arpa/https: allow
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: authentik
+            app.kubernetes.io/name: authentik
+            app.kubernetes.io/instance: authentik
+            app.kubernetes.io/component: server
+      toPorts:
+        - ports:
+            - port: "9443"

kube/deploy/apps/authentik/app/svc.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-https-in-cluster
+  namespace: authentik
+  annotations:
+    # this is for in-cluster apps only, DNS is configured via hostAliases
+    io.cilium/internal: "true"
+    io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK}"
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: authentik
+    app.kubernetes.io/instance: authentik
+    app.kubernetes.io/component: server
+  ports:
+    - name: https
+      port: 443
+      targetPort: 9443
+      protocol: TCP
+  allocateLoadBalancerNodePorts: false

kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml

@@ -15,7 +15,8 @@ spec:
       exportPodCIDR: false
       serviceSelector: &all # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
         matchExpressions:
-          - {key: thisFakeSelector, operator: NotIn, values: ['will-match-and-announce-all-services']}
+          - {key: io.cilium/bgp, operator: NotIn, values: ["deny", "false"]}
+          - {key: io.cilium/internal, operator: NotIn, values: ["true"]}
       neighbors:
         - peerAddress: "${IP_ROUTER_VLAN_K8S}/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
           peerASN: *router

kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml

@@ -33,4 +33,15 @@ spec:
     - cidr: "${IP_LB_DNS_CIDR}"
   serviceSelector:
     matchLabels:
-      exposeSvc: dns
+      exposeSvc: dns
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: internal-only
+spec:
+  cidrs:
+    - cidr: "${IP_LB_INTERNAL_CIDR}"
+  serviceSelector:
+    matchLabels:
+      io.cilium/internal: "true"