outposts: support different port on container vs exposed port

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/outposts/controllers/base.py

@@ -1,5 +1,6 @@
 """Base Controller"""
 from dataclasses import dataclass
+from typing import Optional
 
 from structlog.stdlib import get_logger
 from structlog.testing import capture_logs
@@ -23,6 +24,7 @@ class DeploymentPort:
     port: int
     name: str
     protocol: str
+    inner_port: Optional[int] = None
 
 
 class BaseController:

authentik/outposts/controllers/docker.py

@@ -66,7 +66,7 @@ class DockerController(BaseController):
                 "name": f"authentik-proxy-{self.outpost.uuid.hex}",
                 "detach": True,
                 "ports": {
-                    f"{port.port}/{port.protocol.lower()}": port.port
+                    f"{port.port}/{port.protocol.lower()}": port.inner_port or port.port
                     for port in self.deployment_ports
                 },
                 "environment": self._get_env(),
@@ -141,7 +141,7 @@ class DockerController(BaseController):
     def get_static_deployment(self) -> str:
         """Generate docker-compose yaml for proxy, version 3.5"""
         ports = [
-            f"{port.port}:{port.port}/{port.protocol.lower()}"
+            f"{port.port}:{port.inner_port or port.port}/{port.protocol.lower()}"
             for port in self.deployment_ports
         ]
         image_name = self.get_container_image()

authentik/outposts/controllers/k8s/deployment.py

@@ -62,7 +62,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
         for port in self.controller.deployment_ports:
             container_ports.append(
                 V1ContainerPort(
-                    container_port=port.port,
+                    container_port=port.inner_port or port.port,
                     name=port.name,
                     protocol=port.protocol.upper(),
                 )
@@ -105,7 +105,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]):
                                         name="AUTHENTIK_INSECURE",
                                         value_from=V1EnvVarSource(
                                             secret_key_ref=V1SecretKeySelector(
-                                                name=secret_name,
+                                                name=self.name,
                                                 key="authentik_host_insecure",
                                             )
                                         ),

authentik/outposts/controllers/k8s/service.py

@@ -39,7 +39,7 @@ class ServiceReconciler(KubernetesObjectReconciler[V1Service]):
                     name=port.name,
                     port=port.port,
                     protocol=port.protocol.upper(),
-                    target_port=port.port,
+                    target_port=port.inner_port or port.port,
                 )
             )
         selector_labels = DeploymentReconciler(self.controller).get_pod_meta()

authentik/providers/ldap/controllers/docker.py

@@ -10,5 +10,5 @@ class LDAPDockerController(DockerController):
     def __init__(self, outpost: Outpost, connection: DockerServiceConnection):
         super().__init__(outpost, connection)
         self.deployment_ports = [
-            DeploymentPort(3389, "ldap", "tcp"),
+            DeploymentPort(389, "ldap", "tcp", 3389),
         ]

authentik/providers/ldap/controllers/kubernetes.py

@@ -10,5 +10,5 @@ class LDAPKubernetesController(KubernetesController):
     def __init__(self, outpost: Outpost, connection: KubernetesServiceConnection):
         super().__init__(outpost, connection)
         self.deployment_ports = [
-            DeploymentPort(3389, "ldap", "tcp"),
+            DeploymentPort(389, "ldap", "tcp", 3389),
         ]