From ffe6f65af5858cf8d954ec728bd4adc2bed172af Mon Sep 17 00:00:00 2001
From: Jens L <jens.langhammer@beryju.org>
Date: Mon, 14 Nov 2022 14:24:11 +0100
Subject: [PATCH] outposts/kubernetes: ingress class (#4002)

* add support for ingressClassName

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add option to disable ssl verification for k8s controller

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 authentik/outposts/api/service_connections.py |  2 +-
 authentik/outposts/controllers/kubernetes.py  |  1 +
 ..._kubernetesserviceconnection_verify_ssl.py | 20 +++++++++++++++++++
 authentik/outposts/models.py                  | 10 +++++++---
 .../proxy/controllers/k8s/ingress.py          |  8 +++++++-
 schema.yml                                    |  9 +++++++++
 .../ServiceConnectionKubernetesForm.ts        | 12 +++++++++++
 website/docs/outposts/_config.md              |  5 +++++
 .../docs/outposts/integrations/kubernetes.md  |  1 +
 9 files changed, 63 insertions(+), 5 deletions(-)
 create mode 100644 authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py

diff --git a/authentik/outposts/api/service_connections.py b/authentik/outposts/api/service_connections.py
index c118156d1..9c50f8885 100644
--- a/authentik/outposts/api/service_connections.py
+++ b/authentik/outposts/api/service_connections.py
@@ -143,7 +143,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
     class Meta:
 
         model = KubernetesServiceConnection
-        fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig"]
+        fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig", "verify_ssl"]
 
 
 class KubernetesServiceConnectionViewSet(UsedByMixin, ModelViewSet):
diff --git a/authentik/outposts/controllers/kubernetes.py b/authentik/outposts/controllers/kubernetes.py
index 903badd77..31a0db4ba 100644
--- a/authentik/outposts/controllers/kubernetes.py
+++ b/authentik/outposts/controllers/kubernetes.py
@@ -36,6 +36,7 @@ class KubernetesClient(ApiClient, BaseClient):
                 load_incluster_config(client_configuration=config)
             else:
                 load_kube_config_from_dict(connection.kubeconfig, client_configuration=config)
+            config.verify_ssl = connection.verify_ssl
             super().__init__(config)
         except ConfigException as exc:
             raise ServiceConnectionInvalid(exc) from exc
diff --git a/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py b/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py
new file mode 100644
index 000000000..df93a4576
--- /dev/null
+++ b/authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py
@@ -0,0 +1,20 @@
+# Generated by Django 4.1.3 on 2022-11-14 12:56
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_outposts", "0001_squashed_0017_outpost_managed"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="kubernetesserviceconnection",
+            name="verify_ssl",
+            field=models.BooleanField(
+                default=True, help_text="Verify SSL Certificates of the Kubernetes API endpoint"
+            ),
+        ),
+    ]
diff --git a/authentik/outposts/models.py b/authentik/outposts/models.py
index 20e6b313e..cb4d9b304 100644
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
     """Configuration an outpost uses to configure it self"""
 
-    # update website/docs/outposts/outposts.md
+    # update website/docs/outposts/_config.md
 
     authentik_host: str = ""
     authentik_host_insecure: bool = False
@@ -62,16 +62,17 @@ class OutpostConfig:
     log_level: str = CONFIG.y("log_level")
     object_naming_template: str = field(default="ak-outpost-%(name)s")
 
+    container_image: Optional[str] = field(default=None)
+
     docker_network: Optional[str] = field(default=None)
     docker_map_ports: bool = field(default=True)
     docker_labels: Optional[dict[str, str]] = field(default=None)
 
-    container_image: Optional[str] = field(default=None)
-
     kubernetes_replicas: int = field(default=1)
     kubernetes_namespace: str = field(default_factory=get_namespace)
     kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
     kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
+    kubernetes_ingress_class_name: Optional[str] = field(default=None)
     kubernetes_service_type: str = field(default="ClusterIP")
     kubernetes_disabled_components: list[str] = field(default_factory=list)
     kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
@@ -224,6 +225,9 @@ class KubernetesServiceConnection(SerializerModel, OutpostServiceConnection):
         ),
         blank=True,
     )
+    verify_ssl = models.BooleanField(
+        default=True, help_text=_("Verify SSL Certificates of the Kubernetes API endpoint")
+    )
 
     @property
     def serializer(self) -> Serializer:
diff --git a/authentik/providers/proxy/controllers/k8s/ingress.py b/authentik/providers/proxy/controllers/k8s/ingress.py
index 03c6531c6..b641b6d75 100644
--- a/authentik/providers/proxy/controllers/k8s/ingress.py
+++ b/authentik/providers/proxy/controllers/k8s/ingress.py
@@ -159,9 +159,15 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                 hosts=tls_hosts,
                 secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
             )
+        spec = V1IngressSpec(
+            rules=rules,
+            tls=[tls_config],
+        )
+        if self.controller.outpost.config.kubernetes_ingress_class_name:
+            spec.ingress_class_name = self.controller.outpost.config.kubernetes_ingress_class_name
         return V1Ingress(
             metadata=meta,
-            spec=V1IngressSpec(rules=rules, tls=[tls_config]),
+            spec=spec,
         )
 
     def create(self, reference: V1Ingress):
diff --git a/schema.yml b/schema.yml
index 68392fe92..7f4693e6d 100644
--- a/schema.yml
+++ b/schema.yml
@@ -28488,6 +28488,9 @@ components:
           additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
+        verify_ssl:
+          type: boolean
+          description: Verify SSL Certificates of the Kubernetes API endpoint
       required:
       - component
       - meta_model_name
@@ -28511,6 +28514,9 @@ components:
           additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
+        verify_ssl:
+          type: boolean
+          description: Verify SSL Certificates of the Kubernetes API endpoint
       required:
       - name
     LDAPAPIAccessMode:
@@ -33714,6 +33720,9 @@ components:
           additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
+        verify_ssl:
+          type: boolean
+          description: Verify SSL Certificates of the Kubernetes API endpoint
     PatchedLDAPPropertyMappingRequest:
       type: object
       description: LDAP PropertyMapping Serializer
diff --git a/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts b/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
index 7b1daed75..d718815a7 100644
--- a/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
+++ b/web/src/admin/outposts/ServiceConnectionKubernetesForm.ts
@@ -78,6 +78,18 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
                     ${t`Set custom attributes using YAML or JSON.`}
                 </p>
             </ak-form-element-horizontal>
+            <ak-form-element-horizontal name="verifySsl">
+                <div class="pf-c-check">
+                    <input
+                        type="checkbox"
+                        class="pf-c-check__input"
+                        ?checked=${first(this.instance?.verifySsl, true)}
+                    />
+                    <label class="pf-c-check__label">
+                        ${t`Verify Kubernetes API SSL Certificate`}
+                    </label>
+                </div>
+            </ak-form-element-horizontal>
         </form>`;
     }
 }
diff --git a/website/docs/outposts/_config.md b/website/docs/outposts/_config.md
index 50dc088b9..de4ab7d51 100644
--- a/website/docs/outposts/_config.md
+++ b/website/docs/outposts/_config.md
@@ -59,4 +59,9 @@ kubernetes_disabled_components: []
 # NOTE: The secret must be created manually in the namespace first.
 # Applies to: non-embedded
 kubernetes_image_pull_secrets: []
+# Optionally configure an ingress class name. If not set, the ingress will use the cluster's
+# default ingress class
+# (Available with 2022.11.0+)
+# Applies to: proxy outposts
+kubernetes_ingress_class_name: null
 ```
diff --git a/website/docs/outposts/integrations/kubernetes.md b/website/docs/outposts/integrations/kubernetes.md
index b8354f460..fc7047e19 100644
--- a/website/docs/outposts/integrations/kubernetes.md
+++ b/website/docs/outposts/integrations/kubernetes.md
@@ -23,6 +23,7 @@ The following outpost settings are used:
 -   `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
 -   `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
 -   `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections
+-   `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
 -   `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
 -   `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
     -   'secret'