From 98a56c77e365c331d7c7146c4789040639f36481 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 18 Oct 2021 10:00:24 +0200 Subject: [PATCH] providers/proxy: update ingress controller to work with k8s 1.22 Signed-off-by: Jens Langhammer --- Pipfile | 6 +- Pipfile.lock | 31 ++++---- .../proxy/controllers/k8s/ingress.py | 72 ++++++++++--------- 3 files changed, 59 insertions(+), 50 deletions(-) diff --git a/Pipfile b/Pipfile index eeb00d52e3..3e5951d7ca 100644 --- a/Pipfile +++ b/Pipfile @@ -26,9 +26,9 @@ drf-spectacular = "*" facebook-sdk = "*" geoip2 = "*" gunicorn = "*" -kubernetes = "*" +kubernetes = "==v19.15.0b1" ldap3 = "*" -lxml = ">=4.6.3" +lxml = "*" packaging = "*" psycopg2-binary = "*" pycryptodome = "*" @@ -52,7 +52,7 @@ codespell = "*" [dev-packages] bandit = "*" -black = "==21.5b1" +black = "==21.9b0" bump2version = "*" colorama = "*" coverage = {extras = ["toml"],version = "*"} diff --git a/Pipfile.lock b/Pipfile.lock index 752a747a5b..5d2d592f51 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "2928ad096a32a4ed1b96c4357a52bf111ca8b9000b86d9d1f2f1afb8318fab29" + "sha256": "ca7c64798cac0dfeb6aa088d6bf0261895398db26c4769274b77ef974ee06501" }, "pipfile-spec": 6, "requires": {}, @@ -650,11 +650,11 @@ }, "kubernetes": { "hashes": [ - "sha256:0c72d00e7883375bd39ae99758425f5e6cb86388417cf7cc84305c211b2192cf", - "sha256:ff31ec17437293e7d4e1459f1228c42d27c7724dfb56b4868aba7a901a5b72c9" + "sha256:82d7d58f3e3b59fee227740e01af8d14e5d853d37cef6e71b4ee51a4f1a5d0d8", + "sha256:b7fce8b8d8e92d8023929d83cdb5e6e381f99e905d4488533c05280e18a03ced" ], "index": "pypi", - "version": "==18.20.0" + "version": "==v19.15.0b1" }, "ldap3": { "hashes": [ @@ -1527,13 +1527,6 @@ } }, "develop": { - "appdirs": { - "hashes": [ - "sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41", - "sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128" - ], - "version": "==1.4.4" - }, "astroid": { "hashes": [ "sha256:0e361da0744d5011d4f5d57e64473ba9b7ab4da1e2d45d6631ebd67dd28c3cce", @@ -1568,11 +1561,11 @@ }, "black": { "hashes": [ - "sha256:23695358dbcb3deafe7f0a3ad89feee5999a46be5fec21f4f1d108be0bcdb3b1", - "sha256:8a60071a0043876a4ae96e6c69bd3a127dad2c1ca7c8083573eb82f92705d008" + "sha256:380f1b5da05e5a1429225676655dddb96f5ae8c75bdf91e53d798871b902a115", + "sha256:7de4cfc7eb6b710de325712d40125689101d21d25283eed7e9998722cf10eb91" ], "index": "pypi", - "version": "==21.5b1" + "version": "==21.9b0" }, "bump2version": { "hashes": [ @@ -1778,7 +1771,7 @@ "sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899", "sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2" ], - "markers": "python_version < '4.0' and python_full_version >= '3.6.1'", + "markers": "python_version < '4' and python_full_version >= '3.6.1'", "version": "==5.9.3" }, "lazy-object-proxy": { @@ -2125,6 +2118,14 @@ "markers": "python_version >= '3.5'", "version": "==0.9.2" }, + "typing-extensions": { + "hashes": [ + "sha256:49f75d16ff11f1cd258e1b988ccff82a3ca5570217d7ad8c5f48205dd99a677e", + "sha256:d8226d10bc02a29bcc81df19a26e56a9647f8b0a6d4a83924139f4a8b01f17b7", + "sha256:f1d25edafde516b146ecd0613dabcc61409817af4766fbbcfb8d1ad4ec441a34" + ], + "version": "==3.10.0.2" + }, "urllib3": { "extras": [ "secure" diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py index 14eaa0d6e1..5ed9900135 100644 --- a/authentik/providers/proxy/controllers/k8s/ingress.py +++ b/authentik/providers/proxy/controllers/k8s/ingress.py @@ -3,15 +3,17 @@ from typing import TYPE_CHECKING from urllib.parse import urlparse from kubernetes.client import ( - NetworkingV1beta1Api, - NetworkingV1beta1HTTPIngressPath, - NetworkingV1beta1HTTPIngressRuleValue, - NetworkingV1beta1Ingress, - NetworkingV1beta1IngressBackend, - NetworkingV1beta1IngressSpec, - NetworkingV1beta1IngressTLS, + NetworkingV1Api, + V1HTTPIngressPath, + V1HTTPIngressRuleValue, + V1Ingress, + V1IngressSpec, + V1IngressTLS, + V1ServiceBackendPort, ) -from kubernetes.client.models.networking_v1beta1_ingress_rule import NetworkingV1beta1IngressRule +from kubernetes.client.models.v1_ingress_backend import V1IngressBackend +from kubernetes.client.models.v1_ingress_rule import V1IngressRule +from kubernetes.client.models.v1_ingress_service_backend import V1IngressServiceBackend from authentik.outposts.controllers.base import FIELD_MANAGER from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler @@ -22,14 +24,14 @@ if TYPE_CHECKING: from authentik.outposts.controllers.kubernetes import KubernetesController -class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): +class IngressReconciler(KubernetesObjectReconciler[V1Ingress]): """Kubernetes Ingress Reconciler""" def __init__(self, controller: "KubernetesController") -> None: super().__init__(controller) - self.api = NetworkingV1beta1Api(controller.client) + self.api = NetworkingV1Api(controller.client) - def _check_annotations(self, reference: NetworkingV1beta1Ingress): + def _check_annotations(self, reference: V1Ingress): """Check that all annotations *we* set are correct""" for key, value in self.get_ingress_annotations().items(): if key not in reference.metadata.annotations: @@ -37,7 +39,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): if reference.metadata.annotations[key] != value: raise NeedsUpdate() - def reconcile(self, current: NetworkingV1beta1Ingress, reference: NetworkingV1beta1Ingress): + def reconcile(self, current: V1Ingress, reference: V1Ingress): super().reconcile(current, reference) self._check_annotations(reference) # Create a list of all expected host and tls hosts @@ -93,7 +95,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations) return annotations - def get_reference_object(self) -> NetworkingV1beta1Ingress: + def get_reference_object(self) -> V1Ingress: """Get deployment object for outpost""" meta = self.get_object_meta( name=self.name, @@ -112,31 +114,37 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): ProxyMode.FORWARD_SINGLE, ProxyMode.FORWARD_DOMAIN, ]: - rule = NetworkingV1beta1IngressRule( + rule = V1IngressRule( host=external_host_name.hostname, - http=NetworkingV1beta1HTTPIngressRuleValue( + http=V1HTTPIngressRuleValue( paths=[ - NetworkingV1beta1HTTPIngressPath( - backend=NetworkingV1beta1IngressBackend( - service_name=self.name, - service_port="http", + V1HTTPIngressPath( + backend=V1IngressBackend( + service=V1IngressServiceBackend( + name=self.name, + port=V1ServiceBackendPort(name="http"), + ), ), path="/akprox", + path_type="ImplementationSpecific", ) ] ), ) else: - rule = NetworkingV1beta1IngressRule( + rule = V1IngressRule( host=external_host_name.hostname, - http=NetworkingV1beta1HTTPIngressRuleValue( + http=V1HTTPIngressRuleValue( paths=[ - NetworkingV1beta1HTTPIngressPath( - backend=NetworkingV1beta1IngressBackend( - service_name=self.name, - service_port="http", + V1HTTPIngressPath( + backend=V1IngressBackend( + service=V1IngressServiceBackend( + name=self.name, + port=V1ServiceBackendPort(name="http"), + ), ), path="/", + path_type="ImplementationSpecific", ) ] ), @@ -144,16 +152,16 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): rules.append(rule) tls_config = None if tls_hosts: - tls_config = NetworkingV1beta1IngressTLS( + tls_config = V1IngressTLS( hosts=tls_hosts, secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name, ) - return NetworkingV1beta1Ingress( + return V1Ingress( metadata=meta, - spec=NetworkingV1beta1IngressSpec(rules=rules, tls=[tls_config]), + spec=V1IngressSpec(rules=rules, tls=[tls_config]), ) - def create(self, reference: NetworkingV1beta1Ingress): + def create(self, reference: V1Ingress): if len(reference.spec.rules) < 1: self.logger.debug("No hosts defined, not creating ingress.") return None @@ -161,13 +169,13 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): self.namespace, reference, field_manager=FIELD_MANAGER ) - def delete(self, reference: NetworkingV1beta1Ingress): + def delete(self, reference: V1Ingress): return self.api.delete_namespaced_ingress(reference.metadata.name, self.namespace) - def retrieve(self) -> NetworkingV1beta1Ingress: + def retrieve(self) -> V1Ingress: return self.api.read_namespaced_ingress(self.name, self.namespace) - def update(self, current: NetworkingV1beta1Ingress, reference: NetworkingV1beta1Ingress): + def update(self, current: V1Ingress, reference: V1Ingress): return self.api.patch_namespaced_ingress( current.metadata.name, self.namespace,