From 8a6120eae6d4e1a5ee2666dea6132d2bc4918da7 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Sat, 10 Feb 2024 22:13:22 +0800
Subject: [PATCH] feat(authentik): internal access via LBIP for SNI

---
 kube/deploy/apps/authentik/app/netpol.yaml    | 34 +++++++++++++++++--
 kube/deploy/apps/authentik/app/svc.yaml       | 22 ++++++++++++
 .../_networking/cilium/loadbalancer/BGP.yaml  |  3 +-
 .../cilium/loadbalancer/LB-IPs.yaml           | 13 ++++++-
 4 files changed, 68 insertions(+), 4 deletions(-)
 create mode 100644 kube/deploy/apps/authentik/app/svc.yaml

diff --git a/kube/deploy/apps/authentik/app/netpol.yaml b/kube/deploy/apps/authentik/app/netpol.yaml
index f6249823..55595445 100644
--- a/kube/deploy/apps/authentik/app/netpol.yaml
+++ b/kube/deploy/apps/authentik/app/netpol.yaml
@@ -23,6 +23,16 @@ spec:
         - matchLabels:
             io.kubernetes.pod.namespace: ingress
             app.kubernetes.io/name: ingress-nginx
+    # allow HTTPS traffic in-cluster
+    - fromEndpoints:
+        - matchLabels:
+            authentik.home.arpa/https: allow
+          matchExpressions:
+            - key: io.kubernetes.pod.namespace
+              operator: Exists
+      toPorts:
+        - ports:
+            - port: "9443"
   egress:
     # same namespace
     - toEndpoints:
@@ -35,13 +45,33 @@ spec:
             app.kubernetes.io/name: ingress-nginx
     # allow Duo
     - toFQDNs:
-        - matchPattern: api-*.duosecurity.com
+        - matchPattern: "api-*.duosecurity.com"
       toPorts:
         - ports:
             - port: "443"
     # allow AWS SES
     - toFQDNs:
-        - matchPattern: email-smtp.*.amazonaws.com
+        - matchPattern: "email-smtp.*.amazonaws.com"
       toPorts:
         - ports:
             - port: "587"
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: &app authentik-https-in-cluster
+spec:
+  endpointSelector:
+    matchLabels:
+      authentik.home.arpa/https: allow
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: authentik
+            app.kubernetes.io/name: authentik
+            app.kubernetes.io/instance: authentik
+            app.kubernetes.io/component: server
+      toPorts:
+        - ports:
+            - port: "9443"
diff --git a/kube/deploy/apps/authentik/app/svc.yaml b/kube/deploy/apps/authentik/app/svc.yaml
new file mode 100644
index 00000000..7e069ec7
--- /dev/null
+++ b/kube/deploy/apps/authentik/app/svc.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-https-in-cluster
+  namespace: authentik
+  annotations:
+    # this is for in-cluster apps only, DNS is configured via hostAliases
+    io.cilium/internal: "true"
+    io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK}"
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/name: authentik
+    app.kubernetes.io/instance: authentik
+    app.kubernetes.io/component: server
+  ports:
+    - name: https
+      port: 443
+      targetPort: 9443
+      protocol: TCP
+  allocateLoadBalancerNodePorts: false
diff --git a/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml b/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml
index 0e9a92ef..d883e2e3 100644
--- a/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml
+++ b/kube/deploy/core/_networking/cilium/loadbalancer/BGP.yaml
@@ -15,7 +15,8 @@ spec:
       exportPodCIDR: false
       serviceSelector: &all # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
         matchExpressions:
-          - {key: thisFakeSelector, operator: NotIn, values: ['will-match-and-announce-all-services']}
+          - {key: io.cilium/bgp, operator: NotIn, values: ["deny", "false"]}
+          - {key: io.cilium/internal, operator: NotIn, values: ["true"]}
       neighbors:
         - peerAddress: "${IP_ROUTER_VLAN_K8S}/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
           peerASN: *router
diff --git a/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml b/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml
index c7f3102e..b625afed 100644
--- a/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml
+++ b/kube/deploy/core/_networking/cilium/loadbalancer/LB-IPs.yaml
@@ -33,4 +33,15 @@ spec:
     - cidr: "${IP_LB_DNS_CIDR}"
   serviceSelector:
     matchLabels:
-      exposeSvc: dns
\ No newline at end of file
+      exposeSvc: dns
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: internal-only
+spec:
+  cidrs:
+    - cidr: "${IP_LB_INTERNAL_CIDR}"
+  serviceSelector:
+    matchLabels:
+      io.cilium/internal: "true"