habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d5172d18ad1f28f66ea88d7090a5795912cdef5
authentik/website/docs/add-secure-apps/outposts/integrations/kubernetes.md
Tana M Berry 6d5172d18a website: latest PR for new Docs structure (#11639) 
* first pass

* dependency shenanigans

* move blueprints

* few broken links

* change config the throw errors

* internal file edits

* fighting links

* remove sidebarDev

* fix subdomain

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix relative URL

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix mismatched package versions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api reference build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* test tweak

* links hell

* more links hell

* links hell2

* yep last of the links

* last broken link fixed

* re-add cves

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add devdocs redirects

* add dir

* tweak netlify.toml

* move latest 2 CVES into dir

* fix links to moved cves

* typoed title fix

* fix link

* remove banner

* remove committed api docs

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* integrations: remove version dropdown

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Update Makefile

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* change doc links in web as well

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix some more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* fix more docs paths

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* ci: require ci-web.build for merging

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>

* Revert "ci: require ci-web.build for merging"

This reverts commit b99a4842a9.

* remove sluf for Application

* put slug back in

* minor fix to trigger deploy

* Spelled out Documentation in menu bar

* remove image redirects...

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove explicit index.md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove mdx first

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* then remove .md

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add missing prefix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Co-authored-by: Tana M Berry <tana@goauthentik.com>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2024-10-09 09:33:40 -05:00

2.9 KiB
Raw Blame History

title
title
Kubernetes

The kubernetes integration will automatically deploy outposts on any Kubernetes Cluster.

This integration has the advantage over manual deployments of automatic updates (whenever authentik is updated, it updates the outposts), and authentik can (in a future version) automatically rotate the token that the outpost uses to communicate with the core authentik server.

This integration creates the following objects:

  • Deployment for the outpost container
  • Service
  • Secret to store the token
  • Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster)
  • Ingress (only Proxy outposts)
  • Traefik Middleware (only Proxy outposts with forward auth enabled)

The following outpost settings are used:

  • object_naming_template: Configures how the container is called
  • container_image: Optionally overwrites the standard container image (see Configuration to configure the global default)
  • kubernetes_replicas: Replica count for the deployment of the outpost
  • kubernetes_namespace: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
  • kubernetes_ingress_annotations: Any additional annotations to add to the ingress object, for example cert-manager
  • kubernetes_ingress_secret_name: Name of the secret that is used for TLS connections, can be empty to disable TLS config
  • kubernetes_ingress_class_name: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
  • kubernetes_service_type: Service kind created, can be set to LoadBalancer for LDAP outposts for example
  • kubernetes_disabled_components: Disable any components of the kubernetes integration, can be any of
    • 'secret'
    • 'deployment'
    • 'service'
    • 'prometheus servicemonitor'
    • 'ingress'
    • 'traefik middleware'
  • kubernetes_image_pull_secrets: If the above docker image is in a private repository, use these secrets to pull. (NOTE: The secret must be created manually in the namespace first.)
  • kubernetes_json_patches: Applies an RFC 6902 compliant JSON patch to the Kubernetes objects.

Permissions

The permissions required for this integration are documented in the helm chart. See Cluster-level and Namespace-level.

Remote clusters

To add a remote cluster, you can simply install this helm chart in the target cluster and namespace: https://artifacthub.io/packages/helm/goauthentik/authentik-remote-cluster

After installation, the helm chart outputs an example kubeconfig file, that you can enter in authentik to connect to the cluster.