diff --git a/kube/deploy/apps/authentik/app/hr.yaml b/kube/deploy/apps/authentik/app/hr.yaml index f1cec052..dc730d92 100644 --- a/kube/deploy/apps/authentik/app/hr.yaml +++ b/kube/deploy/apps/authentik/app/hr.yaml @@ -320,59 +320,59 @@ spec: enabled: true readiness: enabled: true - renovate-test: - enabled: false - type: deployment - replicas: 0 - strategy: RollingUpdate - rollingUpdate: - unavailable: "90%" - containers: - main: - image: &img - repository: ghcr.io/goauthentik/server - tag: 2024.12.5@sha256:717323d68507fb76dd79f8958f42ce57f8ae0c10a55a7807efa1cfec5752b77c - args: [server] - env: &env - TZ: "${CONFIG_TZ}" - securityContext: &sc - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - resources: - requests: - cpu: "0" - memory: "0" - limits: - cpu: "1000m" - memory: "2Gi" - anubis: - image: - repository: ghcr.io/xe/x/anubis - tag: latest@sha256:a7b24490df79512a18a198dc44cd3d8a4ac3389ec91866ec9720d6293c2bdde7 - env: - TZ: "${CONFIG_TZ}" - BIND: ":8923" - DIFFICULTY: "5" - SERVE_ROBOTS_TXT: "true" - TARGET: "http://127.0.0.1:9000" - securityContext: *sc - resources: - requests: - cpu: "5m" - memory: "32Mi" - limits: - cpu: "1" - memory: "128Mi" - ports: - - name: anubis - containerPort: &anubis 8923 - probes: - liveness: - enabled: true - readiness: - enabled: true + # renovate-test: + # enabled: false + # type: deployment + # replicas: 0 + # strategy: RollingUpdate + # rollingUpdate: + # unavailable: "90%" + # containers: + # main: + # image: &img + # repository: ghcr.io/goauthentik/server + # tag: 2024.12.5@sha256:717323d68507fb76dd79f8958f42ce57f8ae0c10a55a7807efa1cfec5752b77c + # args: [server] + # env: &env + # TZ: "${CONFIG_TZ}" + # securityContext: &sc + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: ["ALL"] + # resources: + # requests: + # cpu: "0" + # memory: "0" + # limits: + # cpu: "1000m" + # memory: "2Gi" + # anubis: + # image: + # repository: ghcr.io/xe/x/anubis + # tag: latest@sha256:a7b24490df79512a18a198dc44cd3d8a4ac3389ec91866ec9720d6293c2bdde7 + # env: + # TZ: "${CONFIG_TZ}" + # BIND: ":8923" + # DIFFICULTY: "5" + # SERVE_ROBOTS_TXT: "true" + # TARGET: "http://127.0.0.1:9000" + # securityContext: *sc + # resources: + # requests: + # cpu: "5m" + # memory: "32Mi" + # limits: + # cpu: "1" + # memory: "128Mi" + # ports: + # - name: anubis + # containerPort: &anubis 8923 + # probes: + # liveness: + # enabled: true + # readiness: + # enabled: true service: authentik: controller: authentik diff --git a/kube/deploy/apps/authentik/app/ingress.yaml b/kube/deploy/apps/authentik/app/ingress.yaml new file mode 100644 index 00000000..aa98ad75 --- /dev/null +++ b/kube/deploy/apps/authentik/app/ingress.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authentik-proxy-outpost-internal + namespace: authentik +spec: + ingressClassName: nginx-internal + rules: + - http: &paths + paths: + - path: /outpost.goauthentik.io + pathType: Prefix + backend: + service: + name: authentik + port: + number: 9000 + host: "${APP_DNS_NAVIDROME}" +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authentik-proxy-outpost-external + namespace: authentik +spec: + ingressClassName: nginx-external + rules: + - http: + paths: + - path: /outpost.goauthentik.io + pathType: Prefix + backend: + service: + name: authentik + port: + number: 9000 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authentik-proxy-outpost-public + namespace: authentik +spec: + ingressClassName: nginx-public + rules: + - http: + paths: + - path: /outpost.goauthentik.io + pathType: Prefix + backend: + service: + name: authentik + port: + number: 9000 diff --git a/kube/deploy/apps/authentik/app/mutatingadmissionpolicy-ingress-forward-auth.yaml b/kube/deploy/apps/authentik/app/mutatingadmissionpolicy-ingress-forward-auth.yaml new file mode 100644 index 00000000..adc879f9 --- /dev/null +++ b/kube/deploy/apps/authentik/app/mutatingadmissionpolicy-ingress-forward-auth.yaml @@ -0,0 +1,54 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: &n ingress-forward-auth-authentik +spec: + policyName: *n +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: ingress-forward-auth-authentik +spec: + matchConstraints: + resourceRules: + - apiGroups: ["networking.k8s.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["ingress"] + matchConditions: + - name: has-authentik-forward-auth-labels + # has(object.metadata.labels["authentik.home.arpa/forward-auth"] + expression: > + 'authentik.home.arpa/forward-auth' in object.metadata.labels + - name: repository-volume-does-not-exist + expression: > + !object.metadata.annotations.exists(item, item.name == "repository") + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: JSONPatch + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/template/spec/containers/0/volumeMounts/-", + value: Object.spec.template.spec.containers.volumeMounts{ + name: "repository", + mountPath: "/repository" + } + }, + JSONPatch{ + op: "add", path: "/spec/template/spec/volumes/-", + value: Object.spec.template.spec.volumes{ + name: "repository", + nfs: Object.spec.template.spec.volumes.nfs{ + server: "expanse.internal", + path: "/mnt/eros/Volsync" + } + } + } + ]