feat: Authentik, forward auth proxy

roles/nginx/tasks/main.yml

@@ -11,6 +11,13 @@
     state: present
     definition: "{{ lookup('template', 'service.yml') | from_yaml }}"
 
+- name: Deploy forwardauth middleware
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    namespace: traefik
+    definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
+
 - name: Deploy nginx - ingress
   kubernetes.core.k8s:
     kubeconfig: /Users/lino.silva/.kube/config

roles/nginx/templates/ingress.yml

@@ -22,5 +22,16 @@ spec:
           port: 80
       middlewares:
         - name: default-headers
+        - name: nginx-middleware-forwardauth
+          namespace: traefik
+    - match: "Host(`nginx.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
   tls:
     secretName: lino-cooking-tls

roles/nginx/templates/middleware-forwardauth.yml

@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: nginx-middleware-forwardauth
+spec:
+  forwardAuth:
+    address: https://nginx.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version