From 5fab069837fbb2477958ad21c2240d37362ce715 Mon Sep 17 00:00:00 2001 From: Lino Silva Date: Thu, 9 Feb 2023 23:03:36 +0000 Subject: [PATCH] feat: Authentik, forward auth proxy --- inventory/my-cluster/group_vars/all.yml | 3 -- inventory/my-cluster/host_vars/daruk | 11 +---- inventory/my-cluster/host_vars/epona | 14 +++--- inventory/my-cluster/host_vars/impa | 4 ++ .../my-cluster/host_vars/k3s-agent-daruk | 5 --- .../my-cluster/host_vars/k3s-agent-revali | 5 --- .../my-cluster/host_vars/k3s-master-epona | 5 --- .../my-cluster/host_vars/k3s-master-mipha | 5 --- .../my-cluster/host_vars/k3s-master-yuga | 5 --- inventory/my-cluster/host_vars/mipha | 11 +---- inventory/my-cluster/host_vars/revali | 11 +---- inventory/my-cluster/host_vars/tingle | 4 ++ inventory/my-cluster/host_vars/yuga | 11 +---- inventory/my-cluster/hosts.ini | 23 +++++----- playbook-k3s.yml | 25 ++--------- roles/k3s/master/defaults/main.yml | 2 +- roles/nginx/tasks/main.yml | 7 +++ roles/nginx/templates/ingress.yml | 11 +++++ .../templates/middleware-forwardauth.yml | 20 +++++++++ roles/prereq/tasks/main.yml | 43 ------------------- roles/traefik/tasks/main.yml | 5 ++- roles/traefik/templates/dashboard-ingress.yml | 11 ++++- .../templates/dashboard-middleware.yml | 8 ---- .../templates/middleware-forwardauth.yml | 20 +++++++++ roles/traefik/templates/values.yml | 1 + 25 files changed, 107 insertions(+), 163 deletions(-) delete mode 100644 inventory/my-cluster/host_vars/k3s-agent-daruk delete mode 100644 inventory/my-cluster/host_vars/k3s-agent-revali delete mode 100644 inventory/my-cluster/host_vars/k3s-master-epona delete mode 100644 inventory/my-cluster/host_vars/k3s-master-mipha delete mode 100644 inventory/my-cluster/host_vars/k3s-master-yuga create mode 100644 roles/nginx/templates/middleware-forwardauth.yml delete mode 100644 roles/traefik/templates/dashboard-middleware.yml create mode 100644 roles/traefik/templates/middleware-forwardauth.yml diff --git a/inventory/my-cluster/group_vars/all.yml b/inventory/my-cluster/group_vars/all.yml index 69df8a0..b14bba8 100644 --- a/inventory/my-cluster/group_vars/all.yml +++ b/inventory/my-cluster/group_vars/all.yml @@ -7,9 +7,6 @@ systemd_dir: /etc/systemd/system # Set your timezone system_timezone: "Europe/Lisbon" -# interface which will be used for flannel -flannel_iface: "eth0" - # apiserver_endpoint is virtual ip-address which will be configured on each master apiserver_endpoint: "10.0.3.1" diff --git a/inventory/my-cluster/host_vars/daruk b/inventory/my-cluster/host_vars/daruk index 9b4599d..8c9baae 100644 --- a/inventory/my-cluster/host_vars/daruk +++ b/inventory/my-cluster/host_vars/daruk @@ -3,12 +3,5 @@ ansible_user: root ansible_host: 10.0.2.6 ansible_ssh_pass: "{{ proxmox_api_password }}" ip_addr: 10.0.2.6 -k3s_mac_addr: DE:05:FF:02:47:D8 -k3s_hostname: k3s-agent-daruk -k3s_lxc_host: 10.0.3.6 -k3s_vm_host: 10.0.3.106 -k3s_cores: 8 -k3s_memory: 4096 -k3s_disk: 150 -k3s_vmid: 606 -k3s_template_id: 900 +# interface which will be used for flannel +flannel_iface: "vmbr0" diff --git a/inventory/my-cluster/host_vars/epona b/inventory/my-cluster/host_vars/epona index c5c4619..3dab0bc 100644 --- a/inventory/my-cluster/host_vars/epona +++ b/inventory/my-cluster/host_vars/epona @@ -1,14 +1,10 @@ --- + ansible_user: root ansible_host: 10.0.2.2 ansible_ssh_pass: "{{ proxmox_api_password }}" ip_addr: 10.0.2.2 -k3s_mac_addr: de:05:ff:02:47:d7 -k3s_hostname: k3s-master-epona -k3s_lxc_host: 10.0.3.2 -k3s_vm_host: 10.0.3.102 -k3s_cores: 4 -k3s_memory: 8192 -k3s_disk: 75 -k3s_vmid: 601 -k3s_template_id: 901 + +# interface which will be used for flannel + +flannel_iface: "vmbr0" diff --git a/inventory/my-cluster/host_vars/impa b/inventory/my-cluster/host_vars/impa index 409fe79..acf095c 100644 --- a/inventory/my-cluster/host_vars/impa +++ b/inventory/my-cluster/host_vars/impa @@ -3,3 +3,7 @@ ansible_user: root ansible_host: 10.0.3.111 ansible_ssh_pass: "{{ proxmox_api_password }}" + +# interface which will be used for flannel + +flannel_iface: "eth0" diff --git a/inventory/my-cluster/host_vars/k3s-agent-daruk b/inventory/my-cluster/host_vars/k3s-agent-daruk deleted file mode 100644 index b245b05..0000000 --- a/inventory/my-cluster/host_vars/k3s-agent-daruk +++ /dev/null @@ -1,5 +0,0 @@ ---- - -ansible_user: root -ansible_host: 10.0.3.106 -ansible_ssh_pass: "{{ proxmox_api_password }}" diff --git a/inventory/my-cluster/host_vars/k3s-agent-revali b/inventory/my-cluster/host_vars/k3s-agent-revali deleted file mode 100644 index a10e05d..0000000 --- a/inventory/my-cluster/host_vars/k3s-agent-revali +++ /dev/null @@ -1,5 +0,0 @@ ---- - -ansible_user: root -ansible_host: 10.0.3.104 -ansible_ssh_pass: "{{ proxmox_api_password }}" diff --git a/inventory/my-cluster/host_vars/k3s-master-epona b/inventory/my-cluster/host_vars/k3s-master-epona deleted file mode 100644 index 0a7c69c..0000000 --- a/inventory/my-cluster/host_vars/k3s-master-epona +++ /dev/null @@ -1,5 +0,0 @@ ---- - -ansible_user: root -ansible_host: 10.0.3.102 -ansible_ssh_pass: "{{ proxmox_api_password }}" diff --git a/inventory/my-cluster/host_vars/k3s-master-mipha b/inventory/my-cluster/host_vars/k3s-master-mipha deleted file mode 100644 index fd1efd8..0000000 --- a/inventory/my-cluster/host_vars/k3s-master-mipha +++ /dev/null @@ -1,5 +0,0 @@ ---- - -ansible_user: root -ansible_host: 10.0.3.103 -ansible_ssh_pass: "{{ proxmox_api_password }}" diff --git a/inventory/my-cluster/host_vars/k3s-master-yuga b/inventory/my-cluster/host_vars/k3s-master-yuga deleted file mode 100644 index b43b527..0000000 --- a/inventory/my-cluster/host_vars/k3s-master-yuga +++ /dev/null @@ -1,5 +0,0 @@ ---- - -ansible_user: root -ansible_host: 10.0.3.107 -ansible_ssh_pass: "{{ proxmox_api_password }}" diff --git a/inventory/my-cluster/host_vars/mipha b/inventory/my-cluster/host_vars/mipha index 79072c7..5a017a7 100644 --- a/inventory/my-cluster/host_vars/mipha +++ b/inventory/my-cluster/host_vars/mipha @@ -3,12 +3,5 @@ ansible_user: root ansible_host: 10.0.2.3 ansible_ssh_pass: "{{ proxmox_api_password }}" ip_addr: 10.0.2.3 -k3s_mac_addr: 0e:a0:ff:8c:70:df -k3s_hostname: k3s-master-mipha -k3s_lxc_host: 10.0.3.3 -k3s_vm_host: 10.0.3.103 -k3s_cores: 4 -k3s_memory: 6144 -k3s_disk: 75 -k3s_vmid: 602 -k3s_template_id: 902 +# interface which will be used for flannel +flannel_iface: "vmbr0" diff --git a/inventory/my-cluster/host_vars/revali b/inventory/my-cluster/host_vars/revali index 472d664..1d6ee47 100644 --- a/inventory/my-cluster/host_vars/revali +++ b/inventory/my-cluster/host_vars/revali @@ -3,12 +3,5 @@ ansible_user: root ansible_host: 10.0.2.4 ansible_ssh_pass: "{{ proxmox_api_password }}" ip_addr: 10.0.2.4 -k3s_mac_addr: 32:47:89:3f:1a:e2 -k3s_hostname: k3s-agent-revali -k3s_lxc_host: 10.0.3.4 -k3s_vm_host: 10.0.3.104 -k3s_cores: 2 -k3s_memory: 4096 -k3s_disk: 200 -k3s_vmid: 603 -k3s_template_id: 903 +# interface which will be used for flannel +flannel_iface: "vmbr0" diff --git a/inventory/my-cluster/host_vars/tingle b/inventory/my-cluster/host_vars/tingle index 5b539d9..f34d5b6 100644 --- a/inventory/my-cluster/host_vars/tingle +++ b/inventory/my-cluster/host_vars/tingle @@ -3,3 +3,7 @@ ansible_user: root ansible_host: 10.0.3.110 ansible_ssh_pass: "{{ proxmox_api_password }}" + +# interface which will be used for flannel + +flannel_iface: "eth0" diff --git a/inventory/my-cluster/host_vars/yuga b/inventory/my-cluster/host_vars/yuga index a1ade81..8300d10 100644 --- a/inventory/my-cluster/host_vars/yuga +++ b/inventory/my-cluster/host_vars/yuga @@ -3,12 +3,5 @@ ansible_user: root ansible_host: 10.0.2.7 ansible_ssh_pass: "{{ proxmox_api_password }}" ip_addr: 10.0.2.7 -k3s_mac_addr: 65:AC:EE:EB:AC:C3 -k3s_hostname: k3s-master-yuga -k3s_lxc_host: 10.0.3.7 -k3s_vm_host: 10.0.3.107 -k3s_cores: 4 -k3s_memory: 12288 -k3s_disk: 120 -k3s_vmid: 607 -k3s_template_id: 907 +# interface which will be used for flannel +flannel_iface: "vmbr0" diff --git a/inventory/my-cluster/hosts.ini b/inventory/my-cluster/hosts.ini index e49f8b9..14006a7 100644 --- a/inventory/my-cluster/hosts.ini +++ b/inventory/my-cluster/hosts.ini @@ -1,11 +1,11 @@ [master] -k3s-master-mipha -k3s-master-epona -k3s-master-yuga +mipha +epona +yuga [node] -k3s-agent-revali -k3s-agent-daruk +revali +daruk tingle impa @@ -19,13 +19,6 @@ frigate [lxc:children] k3s_cluster -[k3s_hosts] -mipha -epona -revali -daruk -yuga - [baremetal] mipha epona @@ -36,4 +29,8 @@ yuga [pihole] epona-pihole revali-pihole -urbosa-pihole \ No newline at end of file +urbosa-pihole + +[raspi] +tingle +impa diff --git a/playbook-k3s.yml b/playbook-k3s.yml index e058cdd..c77003d 100644 --- a/playbook-k3s.yml +++ b/playbook-k3s.yml @@ -1,31 +1,11 @@ --- -# - hosts: localhost -# gather_facts: no -# become: yes -# roles: -# - role: k3s/provision/delete -- hosts: localhost - gather_facts: no - become: yes - roles: - - role: k3s/provision/create -- hosts: k3s_hosts - gather_facts: yes - become: yes - roles: - - role: k3s/provision/pre - - role: k3s/provision/cloud-init -- hosts: localhost - gather_facts: no - become: yes - roles: - - role: k3s/provision/start - hosts: k3s_cluster gather_facts: yes become: yes roles: - role: prereq - role: download + - hosts: master become: yes roles: @@ -45,11 +25,12 @@ become: yes roles: - role: k3s/copy-config + - hosts: localhost become: yes roles: - role: traefik - - role: nginx - role: cert-manager - role: authentik + - role: nginx # - role: redis diff --git a/roles/k3s/master/defaults/main.yml b/roles/k3s/master/defaults/main.yml index dd03dd1..381b4e3 100644 --- a/roles/k3s/master/defaults/main.yml +++ b/roles/k3s/master/defaults/main.yml @@ -5,7 +5,7 @@ server_init_args: >- {% if ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname'] %} --cluster-init {% else %} - --server https://{{ hostvars[groups['master'][0]].k3s_node_ip }}:6443 + --server https://{{ hostvars[groups['master'][0]].ansible_host }}:6443 {% endif %} --token {{ k3s_token }} {% endif %} diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 11f954b..3962a9d 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -11,6 +11,13 @@ state: present definition: "{{ lookup('template', 'service.yml') | from_yaml }}" +- name: Deploy forwardauth middleware + kubernetes.core.k8s: + kubeconfig: /Users/lino.silva/.kube/config + state: present + namespace: traefik + definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}" + - name: Deploy nginx - ingress kubernetes.core.k8s: kubeconfig: /Users/lino.silva/.kube/config diff --git a/roles/nginx/templates/ingress.yml b/roles/nginx/templates/ingress.yml index 322b47a..746e3ea 100644 --- a/roles/nginx/templates/ingress.yml +++ b/roles/nginx/templates/ingress.yml @@ -22,5 +22,16 @@ spec: port: 80 middlewares: - name: default-headers + - name: nginx-middleware-forwardauth + namespace: traefik + - match: "Host(`nginx.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)" + kind: Rule + priority: 15 + services: + - kind: Service + # Or, to use an external Outpost, create an ExternalName service and reference that here. + # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname + name: authentik + port: 9000 tls: secretName: lino-cooking-tls diff --git a/roles/nginx/templates/middleware-forwardauth.yml b/roles/nginx/templates/middleware-forwardauth.yml new file mode 100644 index 0000000..1398365 --- /dev/null +++ b/roles/nginx/templates/middleware-forwardauth.yml @@ -0,0 +1,20 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: nginx-middleware-forwardauth +spec: + forwardAuth: + address: https://nginx.lino.cooking/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index 37adece..8c0d712 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -7,36 +7,6 @@ ansible.builtin.apt: upgrade: full -- name: Install QMEU Guest Agent - ansible.builtin.apt: - name: qemu-guest-agent - update_cache: yes - state: present - -- name: Install NFS-Common - ansible.builtin.apt: - name: nfs-common - update_cache: yes - state: present - -- name: Install open-iscsi - ansible.builtin.apt: - name: open-iscsi - update_cache: yes - state: present - -- name: Install util-linux - ansible.builtin.apt: - name: util-linux - update_cache: yes - state: present - -- name: Install network-manager - ansible.builtin.apt: - name: network-manager - update_cache: yes - state: present - - name: Set same timezone on every Server community.general.system.timezone: name: "{{ system_timezone }}" @@ -118,16 +88,3 @@ owner: root group: root mode: a+x - -- name: Configure networking without cloud-init because it sucks - nmcli: - conn_name: "eth0" - ifname: eth0 - type: ethernet - state: present - autoconnect: yes - ip4: "{{ ansible_host }}" - gw4: 10.0.0.1 - -- name: Reboot - ansible.builtin.reboot: diff --git a/roles/traefik/tasks/main.yml b/roles/traefik/tasks/main.yml index 2b51c1c..20e8941 100644 --- a/roles/traefik/tasks/main.yml +++ b/roles/traefik/tasks/main.yml @@ -34,11 +34,12 @@ state: present definition: "{{ lookup('template', 'secret-dashboard.yml') | from_yaml }}" -- name: Deploy dashboard middleware for auth +- name: Deploy forwardauth middleware kubernetes.core.k8s: kubeconfig: /Users/lino.silva/.kube/config state: present - definition: "{{ lookup('template', 'dashboard-middleware.yml') | from_yaml }}" + namespace: traefik + definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}" - name: Create dashboard ingress kubernetes.core.k8s: diff --git a/roles/traefik/templates/dashboard-ingress.yml b/roles/traefik/templates/dashboard-ingress.yml index 4fff70b..b7b455b 100644 --- a/roles/traefik/templates/dashboard-ingress.yml +++ b/roles/traefik/templates/dashboard-ingress.yml @@ -12,10 +12,19 @@ spec: - match: Host(`traefik-dash.lino.cooking`) kind: Rule middlewares: - - name: traefik-dashboard-basicauth + - name: traefik-dash-middleware-forwardauth namespace: traefik services: - name: api@internal kind: TraefikService + - match: "Host(`traefik-dash.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)" + kind: Rule + priority: 15 + services: + - kind: Service + # Or, to use an external Outpost, create an ExternalName service and reference that here. + # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname + name: authentik + port: 9000 # tls: # secretName: lino-cooking-staging-tls diff --git a/roles/traefik/templates/dashboard-middleware.yml b/roles/traefik/templates/dashboard-middleware.yml deleted file mode 100644 index 029499e..0000000 --- a/roles/traefik/templates/dashboard-middleware.yml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: Middleware -metadata: - name: traefik-dashboard-basicauth - namespace: traefik -spec: - basicAuth: - secret: traefik-dashboard-auth diff --git a/roles/traefik/templates/middleware-forwardauth.yml b/roles/traefik/templates/middleware-forwardauth.yml new file mode 100644 index 0000000..9bc6864 --- /dev/null +++ b/roles/traefik/templates/middleware-forwardauth.yml @@ -0,0 +1,20 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: traefik-dash-middleware-forwardauth +spec: + forwardAuth: + address: https://traefik-dash.lino.cooking/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/roles/traefik/templates/values.yml b/roles/traefik/templates/values.yml index 5eb2b3e..1297dae 100644 --- a/roles/traefik/templates/values.yml +++ b/roles/traefik/templates/values.yml @@ -30,6 +30,7 @@ providers: enabled: true ingressClass: traefik-external allowExternalNameServices: true + allowCrossNamespace: true kubernetesIngress: enabled: true publishedService: