feat(authentik): add Anubis for public IPs

2026-03-22 04:39:53 +00:00 · 2025-03-05 13:32:56 +08:00
parent 92067fe5bc
commit da0917731e
1 changed files with 47 additions and 14 deletions
--- a/kube/deploy/apps/authentik/app/hr.yaml
+++ b/kube/deploy/apps/authentik/app/hr.yaml
@@ -130,6 +130,31 @@ spec:
                  periodSeconds: 1
                  failureThreshold: 300
                  initialDelaySeconds: 15
+          anubis:
+            image: &img
+              repository: ghcr.io/xe/x/anubis
+              tag: latest@sha256:f54385a986e2032b238c626e9cec989acc4e36160ab87b88722171929cb5880b
+            env: &env
+              TZ: "${CONFIG_TZ}"
+              DIFFICULTY: "5"
+              SERVE_ROBOTS_TXT: "true"
+              TARGET: "http://127.0.0.1:9000"
+            securityContext: *sc
+            resources:
+              requests:
+                cpu: "5m"
+                memory: "32Mi"
+              limits:
+                cpu: "1"
+                memory: "128Mi"
+            ports:
+              - name: anubis
+                containerPort: &anubis 8923
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
      worker:
        type: deployment
        replicas: 2
@@ -309,6 +334,9 @@ spec:
          metrics:
            <<: *port
            port: *metrics
+          anubis:
+            <<: *port
+            port: *anubis
      redis:
        primary: false
        controller: redis
@@ -368,42 +396,47 @@ spec:
            <<: *radius
            protocol: UDP
    ingress:
-      main:
+      internal: &ingress
        className: nginx-external
        annotations:
-          external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
-          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+          nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 100.64.0.0/10"
        hosts:
          - host: &host "${APP_DNS_AUTHENTIK:=authentik}"
            paths:
-              - path: /
+              - &path
+                path: /
                pathType: Prefix
                service:
                  identifier: authentik
                  port: http
-        tls:
+        tls: &tls
          - hosts: [*host]
            secretName: authentik-tls
+      external:
+        <<: *ingress
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
+        hosts:
+          - host: *host
+            paths:
+              - <<: *path
+                service:
+                  identifier: authentik
+                  port: anubis
      harden:
-        className: nginx-external
+        <<: *ingress
        annotations:
          nginx.ingress.kubernetes.io/whitelist-source-range: "${IP_JJ_V4:=127.0.0.1/32}"
        hosts:
          - host: *host
            paths:
-              - &path
+              - <<: *path
                path: /api/v3/policies/expression
-                pathType: Prefix
-                service:
-                  identifier: authentik
-                  port: http
              - <<: *path
                path: /api/v3/propertymappings
              - <<: *path
                path: /api/v3/managed/blueprints
-        tls:
-          - hosts: [*host]
-            secretName: authentik-tls
    persistence:
      pg-ca:
        type: secret