feat(authentik): better probes, harden ingress, app-template 3.5.1 #1416
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- kube/deploy/apps/authentik/app Kustomization: flux-system/authentik-app HelmRelease: authentik/authentik
+++ kube/deploy/apps/authentik/app Kustomization: flux-system/authentik-app HelmRelease: authentik/authentik
@@ -13,13 +13,13 @@
spec:
chart: app-template
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
- version: 3.1.0
+ version: 3.5.1
driftDetection:
ignore:
- paths:
- /spec/replicas
mode: warn
install:
@@ -89,17 +89,30 @@
envFrom:
- secretRef:
name: authentik-secrets
image:
repository: ghcr.io/goauthentik/server
tag: 2024.10.4@sha256:5843c56a56be58dcee8927c705f8c9def0af7189511c0e8e687d430f543b0f6d
+ ports:
+ - containerPort: 9000
+ name: http
+ - containerPort: 9443
+ name: https
+ - containerPort: 9300
+ name: metrics
probes:
liveness:
enabled: true
+ path: /-/health/live/
+ port: http
+ type: HTTP
readiness:
enabled: true
+ path: /-/health/ready/
+ port: http
+ type: HTTP
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 30m
@@ -306,12 +319,29 @@
envFrom:
- secretRef:
name: authentik-secrets
image:
repository: ghcr.io/goauthentik/server
tag: 2024.10.4@sha256:5843c56a56be58dcee8927c705f8c9def0af7189511c0e8e687d430f543b0f6d
+ probes:
+ liveness:
+ custom: true
+ enabled: true
+ spec:
+ exec:
+ command:
+ - ak
+ - healthcheck
+ readiness:
+ custom: true
+ enabled: true
+ spec:
+ exec:
+ command:
+ - ak
+ - healthcheck
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 20m
@@ -361,16 +391,42 @@
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
ingress:
+ harden:
+ annotations:
+ nginx.ingress.kubernetes.io/whitelist-source-range: 127.0.0.1/32
+ className: nginx-external
+ hosts:
+ - host: authentik
+ paths:
+ - path: /api/v3/policies/expression
+ pathType: Prefix
+ service:
+ identifier: authentik
+ port: http
+ - path: /api/v3/propertymappings
+ pathType: Prefix
+ service:
+ identifier: authentik
+ port: http
+ - path: /api/v3/managed/blueprints
+ pathType: Prefix
+ service:
+ identifier: authentik
+ port: http
+ tls:
+ - hosts:
+ - authentik
+ secretName: authentik-tls
main:
annotations:
external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
- external-dns.alpha.kubernetes.io/target: null
+ external-dns.alpha.kubernetes.io/target: cf
className: nginx-external
hosts:
- host: authentik
paths:
- path: /
pathType: Prefix
@@ -426,34 +482,34 @@
service:
authentik:
controller: authentik
ports:
http:
appProtocol: http
- port: 9000
+ port: http
protocol: HTTP
http-80:
appProtocol: http
port: 80
protocol: HTTP
- targetPort: 9000
+ targetPort: http
metrics:
appProtocol: http
- port: 9300
+ port: metrics
protocol: HTTP
expose:
annotations:
io.cilium/internal: 'true'
io.cilium/lb-ipam-ips: 127.0.0.1
controller: authentik
ports:
http:
appProtocol: https
port: 443
protocol: HTTPS
- targetPort: 9443
+ targetPort: https
primary: false
type: LoadBalancer
ldap:
annotations:
coredns.io/hostname: authentik-ldap
io.cilium/lb-ipam-ips: 127.0.0.1 |
Deploying jjgadgets-biohazard with
|
| Latest commit: |
791b31c
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://b1613fca.jjgadgets-biohazard.pages.dev |
| Branch Preview URL: | https://authentik-app-template-3-5-1.jjgadgets-biohazard.pages.dev |
--- HelmRelease: authentik/authentik NetworkPolicy: authentik/authentik
+++ HelmRelease: authentik/authentik NetworkPolicy: authentik/authentik
@@ -1,21 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: authentik
- labels:
- app.kubernetes.io/instance: authentik
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: authentik
-spec:
- podSelector: {}
- policyTypes:
- - Ingress
- - Egress
- ingress:
- - from:
- - podSelector: {}
- egress:
- - to:
- - podSelector: {}
-
--- HelmRelease: authentik/authentik Service: authentik/authentik
+++ HelmRelease: authentik/authentik Service: authentik/authentik
@@ -8,24 +8,24 @@
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: authentik
app.kubernetes.io/service: authentik
spec:
type: ClusterIP
ports:
- - port: 9000
- targetPort: 9000
+ - port: http
+ targetPort: http
protocol: TCP
name: http
appProtocol: http
- port: 80
- targetPort: 9000
+ targetPort: http
protocol: TCP
name: http-80
appProtocol: http
- - port: 9300
- targetPort: 9300
+ - port: metrics
+ targetPort: metrics
protocol: TCP
name: metrics
appProtocol: http
selector:
app.kubernetes.io/component: authentik
app.kubernetes.io/instance: authentik
--- HelmRelease: authentik/authentik Service: authentik/authentik-expose
+++ HelmRelease: authentik/authentik Service: authentik/authentik-expose
@@ -12,13 +12,13 @@
io.cilium/internal: 'true'
io.cilium/lb-ipam-ips: 127.0.0.1
spec:
type: LoadBalancer
ports:
- port: 443
- targetPort: 9443
+ targetPort: https
protocol: TCP
name: http
appProtocol: https
selector:
app.kubernetes.io/component: authentik
app.kubernetes.io/instance: authentik
--- HelmRelease: authentik/authentik Deployment: authentik/authentik
+++ HelmRelease: authentik/authentik Deployment: authentik/authentik
@@ -126,24 +126,35 @@
envFrom:
- secretRef:
name: authentik-secrets
image: ghcr.io/goauthentik/server:2024.10.4@sha256:5843c56a56be58dcee8927c705f8c9def0af7189511c0e8e687d430f543b0f6d
livenessProbe:
failureThreshold: 3
+ httpGet:
+ path: /-/health/live/
+ port: http
+ scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 10
- tcpSocket:
- port: 9000
timeoutSeconds: 1
name: main
+ ports:
+ - containerPort: 9000
+ name: http
+ - containerPort: 9443
+ name: https
+ - containerPort: 9300
+ name: metrics
readinessProbe:
failureThreshold: 3
+ httpGet:
+ path: /-/health/ready/
+ port: http
+ scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 10
- tcpSocket:
- port: 9000
timeoutSeconds: 1
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
--- HelmRelease: authentik/authentik Deployment: authentik/authentik-worker
+++ HelmRelease: authentik/authentik Deployment: authentik/authentik-worker
@@ -119,13 +119,23 @@
- name: TZ
value: null
envFrom:
- secretRef:
name: authentik-secrets
image: ghcr.io/goauthentik/server:2024.10.4@sha256:5843c56a56be58dcee8927c705f8c9def0af7189511c0e8e687d430f543b0f6d
+ livenessProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
name: main
+ readinessProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
resources:
limits:
cpu: 1000m
memory: 2Gi
requests:
cpu: 20m
--- HelmRelease: authentik/authentik Ingress: authentik/authentik
+++ HelmRelease: authentik/authentik Ingress: authentik/authentik
@@ -1,30 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: authentik
- labels:
- app.kubernetes.io/instance: authentik
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: authentik
- annotations:
- external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
- external-dns.alpha.kubernetes.io/target: null
-spec:
- ingressClassName: nginx-external
- tls:
- - hosts:
- - authentik
- secretName: authentik-tls
- rules:
- - host: authentik
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: authentik
- port:
- number: 9000
-
--- HelmRelease: authentik/authentik NetworkPolicy: authentik/authentik-same-ns
+++ HelmRelease: authentik/authentik NetworkPolicy: authentik/authentik-same-ns
@@ -0,0 +1,21 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: authentik-same-ns
+ labels:
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: authentik
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress
+ ingress:
+ - from:
+ - podSelector: {}
+ egress:
+ - to:
+ - podSelector: {}
+
--- HelmRelease: authentik/authentik Ingress: authentik/authentik-harden
+++ HelmRelease: authentik/authentik Ingress: authentik/authentik-harden
@@ -0,0 +1,43 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: authentik-harden
+ labels:
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: authentik
+ annotations:
+ nginx.ingress.kubernetes.io/whitelist-source-range: 127.0.0.1/32
+spec:
+ ingressClassName: nginx-external
+ tls:
+ - hosts:
+ - authentik
+ secretName: authentik-tls
+ rules:
+ - host: authentik
+ http:
+ paths:
+ - path: /api/v3/policies/expression
+ pathType: Prefix
+ backend:
+ service:
+ name: authentik
+ port:
+ number: http
+ - path: /api/v3/propertymappings
+ pathType: Prefix
+ backend:
+ service:
+ name: authentik
+ port:
+ number: http
+ - path: /api/v3/managed/blueprints
+ pathType: Prefix
+ backend:
+ service:
+ name: authentik
+ port:
+ number: http
+
--- HelmRelease: authentik/authentik Ingress: authentik/authentik-main
+++ HelmRelease: authentik/authentik Ingress: authentik/authentik-main
@@ -0,0 +1,30 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: authentik-main
+ labels:
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: authentik
+ annotations:
+ external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
+ external-dns.alpha.kubernetes.io/target: cf
+spec:
+ ingressClassName: nginx-external
+ tls:
+ - hosts:
+ - authentik
+ secretName: authentik-tls
+ rules:
+ - host: authentik
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: authentik
+ port:
+ number: http
+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.