feat: Authentik, forward auth proxy

2023-02-09 23:03:36 +00:00
parent acd49ed5d8
commit 5fab069837
25 changed files with 107 additions and 163 deletions
@@ -7,9 +7,6 @@ systemd_dir: /etc/systemd/system
 # Set your timezone
 system_timezone: "Europe/Lisbon"

-# interface which will be used for flannel
-flannel_iface: "eth0"
-
 # apiserver_endpoint is virtual ip-address which will be configured on each master
 apiserver_endpoint: "10.0.3.1"

@@ -3,12 +3,5 @@ ansible_user: root
 ansible_host: 10.0.2.6
 ansible_ssh_pass: "{{ proxmox_api_password }}"
 ip_addr: 10.0.2.6
-k3s_mac_addr: DE:05:FF:02:47:D8
-k3s_hostname: k3s-agent-daruk
-k3s_lxc_host: 10.0.3.6
-k3s_vm_host: 10.0.3.106
-k3s_cores: 8
-k3s_memory: 4096
-k3s_disk: 150
-k3s_vmid: 606
-k3s_template_id: 900
+# interface which will be used for flannel
+flannel_iface: "vmbr0"
@@ -1,14 +1,10 @@
 ---
+
 ansible_user: root
 ansible_host: 10.0.2.2
 ansible_ssh_pass: "{{ proxmox_api_password }}"
 ip_addr: 10.0.2.2
-k3s_mac_addr: de:05:ff:02:47:d7
-k3s_hostname: k3s-master-epona
-k3s_lxc_host: 10.0.3.2
-k3s_vm_host: 10.0.3.102
-k3s_cores: 4
-k3s_memory: 8192
-k3s_disk: 75
-k3s_vmid: 601
-k3s_template_id: 901
+
+# interface which will be used for flannel
+
+flannel_iface: "vmbr0"
@@ -3,3 +3,7 @@
 ansible_user: root
 ansible_host: 10.0.3.111
 ansible_ssh_pass: "{{ proxmox_api_password }}"
+
+# interface which will be used for flannel
+
+flannel_iface: "eth0"
@@ -1,5 +0,0 @@
---
-
-ansible_user: root
-ansible_host: 10.0.3.106
-ansible_ssh_pass: "{{ proxmox_api_password }}"
@@ -1,5 +0,0 @@
---
-
-ansible_user: root
-ansible_host: 10.0.3.104
-ansible_ssh_pass: "{{ proxmox_api_password }}"
@@ -1,5 +0,0 @@
---
-
-ansible_user: root
-ansible_host: 10.0.3.102
-ansible_ssh_pass: "{{ proxmox_api_password }}"
@@ -1,5 +0,0 @@
---
-
-ansible_user: root
-ansible_host: 10.0.3.103
-ansible_ssh_pass: "{{ proxmox_api_password }}"
@@ -1,5 +0,0 @@
---
-
-ansible_user: root
-ansible_host: 10.0.3.107
-ansible_ssh_pass: "{{ proxmox_api_password }}"
@@ -3,12 +3,5 @@ ansible_user: root
 ansible_host: 10.0.2.3
 ansible_ssh_pass: "{{ proxmox_api_password }}"
 ip_addr: 10.0.2.3
-k3s_mac_addr: 0e:a0:ff:8c:70:df
-k3s_hostname: k3s-master-mipha
-k3s_lxc_host: 10.0.3.3
-k3s_vm_host: 10.0.3.103
-k3s_cores: 4
-k3s_memory: 6144
-k3s_disk: 75
-k3s_vmid: 602
-k3s_template_id: 902
+# interface which will be used for flannel
+flannel_iface: "vmbr0"
@@ -3,12 +3,5 @@ ansible_user: root
 ansible_host: 10.0.2.4
 ansible_ssh_pass: "{{ proxmox_api_password }}"
 ip_addr: 10.0.2.4
-k3s_mac_addr: 32:47:89:3f:1a:e2
-k3s_hostname: k3s-agent-revali
-k3s_lxc_host: 10.0.3.4
-k3s_vm_host: 10.0.3.104
-k3s_cores: 2
-k3s_memory: 4096
-k3s_disk: 200
-k3s_vmid: 603
-k3s_template_id: 903
+# interface which will be used for flannel
+flannel_iface: "vmbr0"
@@ -3,3 +3,7 @@
 ansible_user: root
 ansible_host: 10.0.3.110
 ansible_ssh_pass: "{{ proxmox_api_password }}"
+
+# interface which will be used for flannel
+
+flannel_iface: "eth0"
@@ -3,12 +3,5 @@ ansible_user: root
 ansible_host: 10.0.2.7
 ansible_ssh_pass: "{{ proxmox_api_password }}"
 ip_addr: 10.0.2.7
-k3s_mac_addr: 65:AC:EE:EB:AC:C3
-k3s_hostname: k3s-master-yuga
-k3s_lxc_host: 10.0.3.7
-k3s_vm_host: 10.0.3.107
-k3s_cores: 4
-k3s_memory: 12288
-k3s_disk: 120
-k3s_vmid: 607
-k3s_template_id: 907
+# interface which will be used for flannel
+flannel_iface: "vmbr0"
@@ -1,11 +1,11 @@
 [master]
-k3s-master-mipha
-k3s-master-epona
-k3s-master-yuga
+mipha
+epona
+yuga

 [node]
-k3s-agent-revali
-k3s-agent-daruk
+revali
+daruk
 tingle
 impa

@@ -19,13 +19,6 @@ frigate
 [lxc:children]
 k3s_cluster

-[k3s_hosts]
-mipha
-epona
-revali
-daruk
-yuga
-
 [baremetal]
 mipha
 epona
@@ -36,4 +29,8 @@ yuga
 [pihole]
 epona-pihole
 revali-pihole
-urbosa-pihole
+urbosa-pihole
+
+[raspi]
+tingle
+impa
@@ -1,31 +1,11 @@
 ---
-# - hosts: localhost
-#   gather_facts: no
-#   become: yes
-#   roles:
-#     - role: k3s/provision/delete
- hosts: localhost
-  gather_facts: no
-  become: yes
-  roles:
-    - role: k3s/provision/create
- hosts: k3s_hosts
-  gather_facts: yes
-  become: yes
-  roles:
-    - role: k3s/provision/pre
-    - role: k3s/provision/cloud-init
- hosts: localhost
-  gather_facts: no
-  become: yes
-  roles:
-    - role: k3s/provision/start
 - hosts: k3s_cluster
  gather_facts: yes
  become: yes
  roles:
    - role: prereq
    - role: download
+
 - hosts: master
  become: yes
  roles:
@@ -45,11 +25,12 @@
  become: yes
  roles:
    - role: k3s/copy-config
+
 - hosts: localhost
  become: yes
  roles:
    - role: traefik
-    - role: nginx
    - role: cert-manager
    - role: authentik
+    - role: nginx
    # - role: redis
@@ -5,7 +5,7 @@ server_init_args: >-
    {% if ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname'] %}
      --cluster-init
    {% else %}
-      --server https://{{ hostvars[groups['master'][0]].k3s_node_ip }}:6443
+      --server https://{{ hostvars[groups['master'][0]].ansible_host }}:6443
    {% endif %}
    --token {{ k3s_token }}
  {% endif %}
@@ -11,6 +11,13 @@
    state: present
    definition: "{{ lookup('template', 'service.yml') | from_yaml }}"

+- name: Deploy forwardauth middleware
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    namespace: traefik
+    definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
+
 - name: Deploy nginx - ingress
  kubernetes.core.k8s:
    kubeconfig: /Users/lino.silva/.kube/config
@@ -22,5 +22,16 @@ spec:
          port: 80
      middlewares:
        - name: default-headers
+        - name: nginx-middleware-forwardauth
+          namespace: traefik
+    - match: "Host(`nginx.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
  tls:
    secretName: lino-cooking-tls
@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: nginx-middleware-forwardauth
+spec:
+  forwardAuth:
+    address: https://nginx.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
@@ -7,36 +7,6 @@
  ansible.builtin.apt:
    upgrade: full

- name: Install QMEU Guest Agent
-  ansible.builtin.apt:
-    name: qemu-guest-agent
-    update_cache: yes
-    state: present
-
- name: Install NFS-Common
-  ansible.builtin.apt:
-    name: nfs-common
-    update_cache: yes
-    state: present
-
- name: Install open-iscsi
-  ansible.builtin.apt:
-    name: open-iscsi
-    update_cache: yes
-    state: present
-
- name: Install util-linux
-  ansible.builtin.apt:
-    name: util-linux
-    update_cache: yes
-    state: present
-
- name: Install network-manager
-  ansible.builtin.apt:
-    name: network-manager
-    update_cache: yes
-    state: present
-
 - name: Set same timezone on every Server
  community.general.system.timezone:
    name: "{{ system_timezone }}"
@@ -118,16 +88,3 @@
    owner: root
    group: root
    mode: a+x
-
- name: Configure networking without cloud-init because it sucks
-  nmcli:
-    conn_name: "eth0"
-    ifname: eth0
-    type: ethernet
-    state: present
-    autoconnect: yes
-    ip4: "{{ ansible_host }}"
-    gw4: 10.0.0.1
-
- name: Reboot
-  ansible.builtin.reboot:
@@ -34,11 +34,12 @@
    state: present
    definition: "{{ lookup('template', 'secret-dashboard.yml') | from_yaml }}"

- name: Deploy dashboard middleware for auth
+- name: Deploy forwardauth middleware
  kubernetes.core.k8s:
    kubeconfig: /Users/lino.silva/.kube/config
    state: present
-    definition: "{{ lookup('template', 'dashboard-middleware.yml') | from_yaml }}"
+    namespace: traefik
+    definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"

 - name: Create dashboard ingress
  kubernetes.core.k8s:
@@ -12,10 +12,19 @@ spec:
    - match: Host(`traefik-dash.lino.cooking`)
      kind: Rule
      middlewares:
-        - name: traefik-dashboard-basicauth
+        - name: traefik-dash-middleware-forwardauth
          namespace: traefik
      services:
        - name: api@internal
          kind: TraefikService
+    - match: "Host(`traefik-dash.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
 #  tls:
 #    secretName: lino-cooking-staging-tls
@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-dashboard-basicauth
-  namespace: traefik
-spec:
-  basicAuth:
-    secret: traefik-dashboard-auth
@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dash-middleware-forwardauth
+spec:
+  forwardAuth:
+    address: https://traefik-dash.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
@@ -30,6 +30,7 @@ providers:
    enabled: true
    ingressClass: traefik-external
    allowExternalNameServices: true
+    allowCrossNamespace: true
  kubernetesIngress:
    enabled: true
    publishedService: