diff --git a/authentik/outposts/api/service_connections.py b/authentik/outposts/api/service_connections.py index c118156d10..9c50f8885a 100644 --- a/authentik/outposts/api/service_connections.py +++ b/authentik/outposts/api/service_connections.py @@ -143,7 +143,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer): class Meta: model = KubernetesServiceConnection - fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig"] + fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig", "verify_ssl"] class KubernetesServiceConnectionViewSet(UsedByMixin, ModelViewSet): diff --git a/authentik/outposts/controllers/kubernetes.py b/authentik/outposts/controllers/kubernetes.py index 903badd776..31a0db4baa 100644 --- a/authentik/outposts/controllers/kubernetes.py +++ b/authentik/outposts/controllers/kubernetes.py @@ -36,6 +36,7 @@ class KubernetesClient(ApiClient, BaseClient): load_incluster_config(client_configuration=config) else: load_kube_config_from_dict(connection.kubeconfig, client_configuration=config) + config.verify_ssl = connection.verify_ssl super().__init__(config) except ConfigException as exc: raise ServiceConnectionInvalid(exc) from exc diff --git a/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py b/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py new file mode 100644 index 0000000000..df93a4576c --- /dev/null +++ b/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py @@ -0,0 +1,20 @@ +# Generated by Django 4.1.3 on 2022-11-14 12:56 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ("authentik_outposts", "0001_squashed_0017_outpost_managed"), + ] + + operations = [ + migrations.AddField( + model_name="kubernetesserviceconnection", + name="verify_ssl", + field=models.BooleanField( + default=True, help_text="Verify SSL Certificates of the Kubernetes API endpoint" + ), + ), + ] diff --git a/authentik/outposts/models.py b/authentik/outposts/models.py index 20e6b313e2..cb4d9b3040 100644 --- a/authentik/outposts/models.py +++ b/authentik/outposts/models.py @@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException): class OutpostConfig: """Configuration an outpost uses to configure it self""" - # update website/docs/outposts/outposts.md + # update website/docs/outposts/_config.md authentik_host: str = "" authentik_host_insecure: bool = False @@ -62,16 +62,17 @@ class OutpostConfig: log_level: str = CONFIG.y("log_level") object_naming_template: str = field(default="ak-outpost-%(name)s") + container_image: Optional[str] = field(default=None) + docker_network: Optional[str] = field(default=None) docker_map_ports: bool = field(default=True) docker_labels: Optional[dict[str, str]] = field(default=None) - container_image: Optional[str] = field(default=None) - kubernetes_replicas: int = field(default=1) kubernetes_namespace: str = field(default_factory=get_namespace) kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict) kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls") + kubernetes_ingress_class_name: Optional[str] = field(default=None) kubernetes_service_type: str = field(default="ClusterIP") kubernetes_disabled_components: list[str] = field(default_factory=list) kubernetes_image_pull_secrets: list[str] = field(default_factory=list) @@ -224,6 +225,9 @@ class KubernetesServiceConnection(SerializerModel, OutpostServiceConnection): ), blank=True, ) + verify_ssl = models.BooleanField( + default=True, help_text=_("Verify SSL Certificates of the Kubernetes API endpoint") + ) @property def serializer(self) -> Serializer: diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py index 03c6531c63..b641b6d758 100644 --- a/authentik/providers/proxy/controllers/k8s/ingress.py +++ b/authentik/providers/proxy/controllers/k8s/ingress.py @@ -159,9 +159,15 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]): hosts=tls_hosts, secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name, ) + spec = V1IngressSpec( + rules=rules, + tls=[tls_config], + ) + if self.controller.outpost.config.kubernetes_ingress_class_name: + spec.ingress_class_name = self.controller.outpost.config.kubernetes_ingress_class_name return V1Ingress( metadata=meta, - spec=V1IngressSpec(rules=rules, tls=[tls_config]), + spec=spec, ) def create(self, reference: V1Ingress): diff --git a/schema.yml b/schema.yml index 68392fe923..7f4693e6da 100644 --- a/schema.yml +++ b/schema.yml @@ -28488,6 +28488,9 @@ components: additionalProperties: {} description: Paste your kubeconfig here. authentik will automatically use the currently selected context. + verify_ssl: + type: boolean + description: Verify SSL Certificates of the Kubernetes API endpoint required: - component - meta_model_name @@ -28511,6 +28514,9 @@ components: additionalProperties: {} description: Paste your kubeconfig here. authentik will automatically use the currently selected context. + verify_ssl: + type: boolean + description: Verify SSL Certificates of the Kubernetes API endpoint required: - name LDAPAPIAccessMode: @@ -33714,6 +33720,9 @@ components: additionalProperties: {} description: Paste your kubeconfig here. authentik will automatically use the currently selected context. + verify_ssl: + type: boolean + description: Verify SSL Certificates of the Kubernetes API endpoint PatchedLDAPPropertyMappingRequest: type: object description: LDAP PropertyMapping Serializer diff --git a/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts b/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts index 7b1daed756..d718815a7a 100644 --- a/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts +++ b/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts @@ -78,6 +78,18 @@ export class ServiceConnectionKubernetesForm extends ModelForm< ${t`Set custom attributes using YAML or JSON.`}

+ +
+ + +
+ `; } } diff --git a/website/docs/outposts/_config.md b/website/docs/outposts/_config.md index 50dc088b9e..de4ab7d51c 100644 --- a/website/docs/outposts/_config.md +++ b/website/docs/outposts/_config.md @@ -59,4 +59,9 @@ kubernetes_disabled_components: [] # NOTE: The secret must be created manually in the namespace first. # Applies to: non-embedded kubernetes_image_pull_secrets: [] +# Optionally configure an ingress class name. If not set, the ingress will use the cluster's +# default ingress class +# (Available with 2022.11.0+) +# Applies to: proxy outposts +kubernetes_ingress_class_name: null ``` diff --git a/website/docs/outposts/integrations/kubernetes.md b/website/docs/outposts/integrations/kubernetes.md index b8354f4600..fc7047e196 100644 --- a/website/docs/outposts/integrations/kubernetes.md +++ b/website/docs/outposts/integrations/kubernetes.md @@ -23,6 +23,7 @@ The following outpost settings are used: - `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available) - `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager - `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections +- `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0 - `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example - `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of - 'secret'