feat: Authentik, forward auth proxy

roles/k3s/master/defaults/main.yml

@@ -5,7 +5,7 @@ server_init_args: >-
     {% if ansible_hostname == hostvars[groups['master'][0]]['ansible_hostname'] %}
       --cluster-init
     {% else %}
-      --server https://{{ hostvars[groups['master'][0]].k3s_node_ip }}:6443
+      --server https://{{ hostvars[groups['master'][0]].ansible_host }}:6443
     {% endif %}
     --token {{ k3s_token }}
   {% endif %}

roles/nginx/tasks/main.yml

@@ -11,6 +11,13 @@
     state: present
     definition: "{{ lookup('template', 'service.yml') | from_yaml }}"
 
+- name: Deploy forwardauth middleware
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    namespace: traefik
+    definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
+
 - name: Deploy nginx - ingress
   kubernetes.core.k8s:
     kubeconfig: /Users/lino.silva/.kube/config

roles/nginx/templates/ingress.yml

@@ -22,5 +22,16 @@ spec:
           port: 80
       middlewares:
         - name: default-headers
+        - name: nginx-middleware-forwardauth
+          namespace: traefik
+    - match: "Host(`nginx.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
   tls:
     secretName: lino-cooking-tls

roles/nginx/templates/middleware-forwardauth.yml

@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: nginx-middleware-forwardauth
+spec:
+  forwardAuth:
+    address: https://nginx.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version

roles/prereq/tasks/main.yml

@@ -7,36 +7,6 @@
   ansible.builtin.apt:
     upgrade: full
 
-- name: Install QMEU Guest Agent
-  ansible.builtin.apt:
-    name: qemu-guest-agent
-    update_cache: yes
-    state: present
-
-- name: Install NFS-Common
-  ansible.builtin.apt:
-    name: nfs-common
-    update_cache: yes
-    state: present
-
-- name: Install open-iscsi
-  ansible.builtin.apt:
-    name: open-iscsi
-    update_cache: yes
-    state: present
-
-- name: Install util-linux
-  ansible.builtin.apt:
-    name: util-linux
-    update_cache: yes
-    state: present
-
-- name: Install network-manager
-  ansible.builtin.apt:
-    name: network-manager
-    update_cache: yes
-    state: present
-
 - name: Set same timezone on every Server
   community.general.system.timezone:
     name: "{{ system_timezone }}"
@@ -118,16 +88,3 @@
     owner: root
     group: root
     mode: a+x
-
-- name: Configure networking without cloud-init because it sucks
-  nmcli:
-    conn_name: "eth0"
-    ifname: eth0
-    type: ethernet
-    state: present
-    autoconnect: yes
-    ip4: "{{ ansible_host }}"
-    gw4: 10.0.0.1
-
-- name: Reboot
-  ansible.builtin.reboot:

roles/traefik/tasks/main.yml

@@ -34,11 +34,12 @@
     state: present
     definition: "{{ lookup('template', 'secret-dashboard.yml') | from_yaml }}"
 
-- name: Deploy dashboard middleware for auth
+- name: Deploy forwardauth middleware
   kubernetes.core.k8s:
     kubeconfig: /Users/lino.silva/.kube/config
     state: present
-    definition: "{{ lookup('template', 'dashboard-middleware.yml') | from_yaml }}"
+    namespace: traefik
+    definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
 
 - name: Create dashboard ingress
   kubernetes.core.k8s:

roles/traefik/templates/dashboard-ingress.yml

@@ -12,10 +12,19 @@ spec:
     - match: Host(`traefik-dash.lino.cooking`)
       kind: Rule
       middlewares:
-        - name: traefik-dashboard-basicauth
+        - name: traefik-dash-middleware-forwardauth
           namespace: traefik
       services:
         - name: api@internal
           kind: TraefikService
+    - match: "Host(`traefik-dash.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
 #  tls:
 #    secretName: lino-cooking-staging-tls

roles/traefik/templates/dashboard-middleware.yml

@@ -1,8 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
-  name: traefik-dashboard-basicauth
-  namespace: traefik
-spec:
-  basicAuth:
-    secret: traefik-dashboard-auth

roles/traefik/templates/middleware-forwardauth.yml

@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: traefik-dash-middleware-forwardauth
+spec:
+  forwardAuth:
+    address: https://traefik-dash.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version

roles/traefik/templates/values.yml

@@ -30,6 +30,7 @@ providers:
     enabled: true
     ingressClass: traefik-external
     allowExternalNameServices: true
+    allowCrossNamespace: true
   kubernetesIngress:
     enabled: true
     publishedService: