From 2e2876fb62a2036626e8737ee46f023612c8e451 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Fri, 21 Apr 2023 09:11:17 +0800 Subject: [PATCH] feat(flux): switch forward-auth patches to domain-level Signed-off-by: JJGadgets --- .../Biohazard/2-config/2-flux-repo.yaml | 25 ++++++------------- .../Biohazard/2-config/kustomization.yaml | 23 +++++------------ 2 files changed, 13 insertions(+), 35 deletions(-) diff --git a/kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml b/kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml index 3b205d17..134f103b 100644 --- a/kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml +++ b/kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml @@ -232,30 +232,19 @@ spec: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 nginx.ingress.kubernetes.io/auth-url: |- - https://${APP_DNS_AUTH}/outpost.goauthentik.io/auth/nginx + http://authentik-outpost-remote.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + # If you're using domain-level auth, use the authentication URL instead of the application URL + nginx.ingress.kubernetes.io/auth-signin: |- + https://${APP_DNS_AUTHENTIK_OUTPOST}//outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Host $http_host; target: group: helm.toolkit.fluxcd.io version: v2beta1 kind: HelmRelease - labelSelector: nginx.ingress.home.arpa/type=auth-external-only - - patch: | - - op: add - path: /spec/values/ingress/main/hosts/0/paths/- - value: - path: /outpost.goauthentik.io - pathType: Prefix - service: - name: authentik - port: 443 - target: - group: helm.toolkit.fluxcd.io - version: v2beta1 - kind: HelmRelease - labelSelector: nginx.ingress.home.arpa/type=auth-external-only + labelSelector: ingress.home.arpa/type=auth-external-only target: group: kustomize.toolkit.fluxcd.io version: v1beta2 diff --git a/kube/1-clusters/Biohazard/2-config/kustomization.yaml b/kube/1-clusters/Biohazard/2-config/kustomization.yaml index 6cfbcf79..7252b811 100644 --- a/kube/1-clusters/Biohazard/2-config/kustomization.yaml +++ b/kube/1-clusters/Biohazard/2-config/kustomization.yaml @@ -200,25 +200,14 @@ patches: nginx.ingress.kubernetes.io/whitelist-source-range: | 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 nginx.ingress.kubernetes.io/auth-url: |- - https://${APP_DNS_AUTH}/outpost.goauthentik.io/auth/nginx + http://authentik-outpost-remote.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + # If you're using domain-level auth, use the authentication URL instead of the application URL + nginx.ingress.kubernetes.io/auth-signin: |- + https://${APP_DNS_AUTHENTIK_OUTPOST}//outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; - target: - group: helm.toolkit.fluxcd.io - version: v2beta1 - kind: HelmRelease - labelSelector: ingress.home.arpa/type=auth-external-only - - patch: | - - op: add - path: /spec/values/ingress/main/hosts/0/paths/- - value: - path: /outpost.goauthentik.io - pathType: Prefix - service: - name: authentik - port: 443 + proxy_set_header X-Forwarded-Host $http_host; target: group: helm.toolkit.fluxcd.io version: v2beta1