outposts/kubernetes: ingress class (#4002)

* add support for ingressClassName

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add option to disable ssl verification for k8s controller

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update website

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/outposts/api/service_connections.py

@@ -143,7 +143,7 @@ class KubernetesServiceConnectionSerializer(ServiceConnectionSerializer):
     class Meta:
 
         model = KubernetesServiceConnection
-        fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig"]
+        fields = ServiceConnectionSerializer.Meta.fields + ["kubeconfig", "verify_ssl"]
 
 
 class KubernetesServiceConnectionViewSet(UsedByMixin, ModelViewSet):

authentik/outposts/controllers/kubernetes.py

@@ -36,6 +36,7 @@ class KubernetesClient(ApiClient, BaseClient):
                 load_incluster_config(client_configuration=config)
             else:
                 load_kube_config_from_dict(connection.kubeconfig, client_configuration=config)
+            config.verify_ssl = connection.verify_ssl
             super().__init__(config)
         except ConfigException as exc:
             raise ServiceConnectionInvalid(exc) from exc

authentik/outposts/migrations/0018_kubernetesserviceconnection_verify_ssl.py

@@ -0,0 +1,20 @@
+# Generated by Django 4.1.3 on 2022-11-14 12:56
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_outposts", "0001_squashed_0017_outpost_managed"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="kubernetesserviceconnection",
+            name="verify_ssl",
+            field=models.BooleanField(
+                default=True, help_text="Verify SSL Certificates of the Kubernetes API endpoint"
+            ),
+        ),
+    ]

authentik/outposts/models.py

@@ -53,7 +53,7 @@ class ServiceConnectionInvalid(SentryIgnoredException):
 class OutpostConfig:
     """Configuration an outpost uses to configure it self"""
 
-    # update website/docs/outposts/outposts.md
+    # update website/docs/outposts/_config.md
 
     authentik_host: str = ""
     authentik_host_insecure: bool = False
@@ -62,16 +62,17 @@ class OutpostConfig:
     log_level: str = CONFIG.y("log_level")
     object_naming_template: str = field(default="ak-outpost-%(name)s")
 
+    container_image: Optional[str] = field(default=None)
+
     docker_network: Optional[str] = field(default=None)
     docker_map_ports: bool = field(default=True)
     docker_labels: Optional[dict[str, str]] = field(default=None)
 
-    container_image: Optional[str] = field(default=None)
-
     kubernetes_replicas: int = field(default=1)
     kubernetes_namespace: str = field(default_factory=get_namespace)
     kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
     kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
+    kubernetes_ingress_class_name: Optional[str] = field(default=None)
     kubernetes_service_type: str = field(default="ClusterIP")
     kubernetes_disabled_components: list[str] = field(default_factory=list)
     kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
@@ -224,6 +225,9 @@ class KubernetesServiceConnection(SerializerModel, OutpostServiceConnection):
         ),
         blank=True,
     )
+    verify_ssl = models.BooleanField(
+        default=True, help_text=_("Verify SSL Certificates of the Kubernetes API endpoint")
+    )
 
     @property
     def serializer(self) -> Serializer:

authentik/providers/proxy/controllers/k8s/ingress.py

@@ -159,9 +159,15 @@ class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
                 hosts=tls_hosts,
                 secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
             )
+        spec = V1IngressSpec(
+            rules=rules,
+            tls=[tls_config],
+        )
+        if self.controller.outpost.config.kubernetes_ingress_class_name:
+            spec.ingress_class_name = self.controller.outpost.config.kubernetes_ingress_class_name
         return V1Ingress(
             metadata=meta,
-            spec=V1IngressSpec(rules=rules, tls=[tls_config]),
+            spec=spec,
         )
 
     def create(self, reference: V1Ingress):

schema.yml

@@ -28488,6 +28488,9 @@ components:
           additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
+        verify_ssl:
+          type: boolean
+          description: Verify SSL Certificates of the Kubernetes API endpoint
       required:
       - component
       - meta_model_name
@@ -28511,6 +28514,9 @@ components:
           additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
+        verify_ssl:
+          type: boolean
+          description: Verify SSL Certificates of the Kubernetes API endpoint
       required:
       - name
     LDAPAPIAccessMode:
@@ -33714,6 +33720,9 @@ components:
           additionalProperties: {}
           description: Paste your kubeconfig here. authentik will automatically use
             the currently selected context.
+        verify_ssl:
+          type: boolean
+          description: Verify SSL Certificates of the Kubernetes API endpoint
     PatchedLDAPPropertyMappingRequest:
       type: object
       description: LDAP PropertyMapping Serializer

web/src/admin/outposts/ServiceConnectionKubernetesForm.ts

@@ -78,6 +78,18 @@ export class ServiceConnectionKubernetesForm extends ModelForm<
                     ${t`Set custom attributes using YAML or JSON.`}
                 </p>
             </ak-form-element-horizontal>
+            <ak-form-element-horizontal name="verifySsl">
+                <div class="pf-c-check">
+                    <input
+                        type="checkbox"
+                        class="pf-c-check__input"
+                        ?checked=${first(this.instance?.verifySsl, true)}
+                    />
+                    <label class="pf-c-check__label">
+                        ${t`Verify Kubernetes API SSL Certificate`}
+                    </label>
+                </div>
+            </ak-form-element-horizontal>
         </form>`;
     }
 }

website/docs/outposts/_config.md

@@ -59,4 +59,9 @@ kubernetes_disabled_components: []
 # NOTE: The secret must be created manually in the namespace first.
 # Applies to: non-embedded
 kubernetes_image_pull_secrets: []
+# Optionally configure an ingress class name. If not set, the ingress will use the cluster's
+# default ingress class
+# (Available with 2022.11.0+)
+# Applies to: proxy outposts
+kubernetes_ingress_class_name: null
 ```

website/docs/outposts/integrations/kubernetes.md

@@ -23,6 +23,7 @@ The following outpost settings are used:
 -   `kubernetes_namespace`: Namespace to deploy in, defaults to the same namespace authentik is deployed in (if available)
 -   `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
 -   `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections
+-   `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
 -   `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
 -   `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
     -   'secret'