chore: cleanup

2026-03-21 18:39:44 +00:00 · 2025-04-15 21:15:01 +08:00
parent 976960bc84
commit f1a8ca2201
3 changed files with 162 additions and 53 deletions
--- a/kube/deploy/apps/authentik/app/hr.yaml
+++ b/kube/deploy/apps/authentik/app/hr.yaml
@@ -320,59 +320,59 @@ spec:
                enabled: true
              readiness:
                enabled: true
-      renovate-test:
-        enabled: false
-        type: deployment
-        replicas: 0
-        strategy: RollingUpdate
-        rollingUpdate:
-          unavailable: "90%"
-        containers:
-          main:
-            image: &img
-              repository: ghcr.io/goauthentik/server
-              tag: 2024.12.5@sha256:717323d68507fb76dd79f8958f42ce57f8ae0c10a55a7807efa1cfec5752b77c
-            args: [server]
-            env: &env
-              TZ: "${CONFIG_TZ}"
-            securityContext: &sc
-              readOnlyRootFilesystem: true
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop: ["ALL"]
-            resources:
-              requests:
-                cpu: "0"
-                memory: "0"
-              limits:
-                cpu: "1000m"
-                memory: "2Gi"
-          anubis:
-            image:
-              repository: ghcr.io/xe/x/anubis
-              tag: latest@sha256:a7b24490df79512a18a198dc44cd3d8a4ac3389ec91866ec9720d6293c2bdde7
-            env:
-              TZ: "${CONFIG_TZ}"
-              BIND: ":8923"
-              DIFFICULTY: "5"
-              SERVE_ROBOTS_TXT: "true"
-              TARGET: "http://127.0.0.1:9000"
-            securityContext: *sc
-            resources:
-              requests:
-                cpu: "5m"
-                memory: "32Mi"
-              limits:
-                cpu: "1"
-                memory: "128Mi"
-            ports:
-              - name: anubis
-                containerPort: &anubis 8923
-            probes:
-              liveness:
-                enabled: true
-              readiness:
-                enabled: true
+      # renovate-test:
+      #   enabled: false
+      #   type: deployment
+      #   replicas: 0
+      #   strategy: RollingUpdate
+      #   rollingUpdate:
+      #     unavailable: "90%"
+      #   containers:
+      #     main:
+      #       image: &img
+      #         repository: ghcr.io/goauthentik/server
+      #         tag: 2024.12.5@sha256:717323d68507fb76dd79f8958f42ce57f8ae0c10a55a7807efa1cfec5752b77c
+      #       args: [server]
+      #       env: &env
+      #         TZ: "${CONFIG_TZ}"
+      #       securityContext: &sc
+      #         readOnlyRootFilesystem: true
+      #         allowPrivilegeEscalation: false
+      #         capabilities:
+      #           drop: ["ALL"]
+      #       resources:
+      #         requests:
+      #           cpu: "0"
+      #           memory: "0"
+      #         limits:
+      #           cpu: "1000m"
+      #           memory: "2Gi"
+      #     anubis:
+      #       image:
+      #         repository: ghcr.io/xe/x/anubis
+      #         tag: latest@sha256:a7b24490df79512a18a198dc44cd3d8a4ac3389ec91866ec9720d6293c2bdde7
+      #       env:
+      #         TZ: "${CONFIG_TZ}"
+      #         BIND: ":8923"
+      #         DIFFICULTY: "5"
+      #         SERVE_ROBOTS_TXT: "true"
+      #         TARGET: "http://127.0.0.1:9000"
+      #       securityContext: *sc
+      #       resources:
+      #         requests:
+      #           cpu: "5m"
+      #           memory: "32Mi"
+      #         limits:
+      #           cpu: "1"
+      #           memory: "128Mi"
+      #       ports:
+      #         - name: anubis
+      #           containerPort: &anubis 8923
+      #       probes:
+      #         liveness:
+      #           enabled: true
+      #         readiness:
+      #           enabled: true
    service:
      authentik:
        controller: authentik
--- a/kube/deploy/apps/authentik/app/ingress.yaml
+++ b/kube/deploy/apps/authentik/app/ingress.yaml
@@ -0,0 +1,55 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik-proxy-outpost-internal
+  namespace: authentik
+spec:
+  ingressClassName: nginx-internal
+  rules:
+    - http: &paths
+        paths:
+          - path: /outpost.goauthentik.io
+            pathType: Prefix
+            backend:
+              service:
+                name: authentik
+                port:
+                  number: 9000
+      host: "${APP_DNS_NAVIDROME}"
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik-proxy-outpost-external
+  namespace: authentik
+spec:
+  ingressClassName: nginx-external
+  rules:
+    - http:
+        paths:
+          - path: /outpost.goauthentik.io
+            pathType: Prefix
+            backend:
+              service:
+                name: authentik
+                port:
+                  number: 9000
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik-proxy-outpost-public
+  namespace: authentik
+spec:
+  ingressClassName: nginx-public
+  rules:
+    - http:
+        paths:
+          - path: /outpost.goauthentik.io
+            pathType: Prefix
+            backend:
+              service:
+                name: authentik
+                port:
+                  number: 9000
--- a/kube/deploy/apps/authentik/app/mutatingadmissionpolicy-ingress-forward-auth.yaml
+++ b/kube/deploy/apps/authentik/app/mutatingadmissionpolicy-ingress-forward-auth.yaml
@@ -0,0 +1,54 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: MutatingAdmissionPolicyBinding
+metadata:
+  name: &n ingress-forward-auth-authentik
+spec:
+  policyName: *n
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json
+apiVersion: admissionregistration.k8s.io/v1alpha1
+kind: MutatingAdmissionPolicy
+metadata:
+  name: ingress-forward-auth-authentik
+spec:
+  matchConstraints:
+    resourceRules:
+      - apiGroups: ["networking.k8s.io"]
+        apiVersions: ["v1"]
+        operations: ["CREATE", "UPDATE"]
+        resources: ["ingress"]
+  matchConditions:
+    - name: has-authentik-forward-auth-labels
+        # has(object.metadata.labels["authentik.home.arpa/forward-auth"]
+      expression: >
+        'authentik.home.arpa/forward-auth' in object.metadata.labels
+    - name: repository-volume-does-not-exist
+      expression: >
+        !object.metadata.annotations.exists(item, item.name == "repository")
+  failurePolicy: Fail
+  reinvocationPolicy: IfNeeded
+  mutations:
+    - patchType: JSONPatch
+      jsonPatch:
+        expression: >
+          [
+            JSONPatch{
+              op: "add", path: "/spec/template/spec/containers/0/volumeMounts/-",
+              value: Object.spec.template.spec.containers.volumeMounts{
+                name: "repository",
+                mountPath: "/repository"
+              }
+            },
+            JSONPatch{
+              op: "add", path: "/spec/template/spec/volumes/-",
+              value: Object.spec.template.spec.volumes{
+                name: "repository",
+                nfs: Object.spec.template.spec.volumes.nfs{
+                  server: "expanse.internal",
+                  path: "/mnt/eros/Volsync"
+                }
+              }
+            }
+          ]