trying to integrate authentik

Signed-off-by: Tapas Sharma <tapas@platform9.com>

Author: sharma-tapas

deploy/04ui.yaml

@@ -37,11 +37,34 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
+metadata:
+  name: vjailbreak-oauth2-ingress
+  namespace: migration-system
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+spec:
+  ingressClassName: nginx
+  rules:
+  - http:
+      paths:
+      - path: /oauth2
+        pathType: Prefix
+        backend:
+          service:
+            name: oauth2-proxy
+            port:
+              number: 4180
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: vjailbreak-ui-ingress
   namespace: migration-system
   annotations:
     nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/auth-url: "http://$host/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "http://$host/oauth2/start?rd=$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Groups"
 spec:
   ingressClassName: nginx
   rules:
@@ -64,6 +87,9 @@ metadata:
     nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
     nginx.ingress.kubernetes.io/rewrite-target: /$1
     nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/auth-url: "http://$host/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "http://$host/oauth2/start?rd=$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,X-Auth-Request-Groups"
 spec:
   ingressClassName: nginx
   rules:

deploy/authentik/00-secrets.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-postgres-secret
+  namespace: authentik
+type: Opaque
+stringData:
+  username: "authentik"
+  password: "authentik-db-pass123"

deploy/authentik/01-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik

deploy/authentik/02-postgres.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: authentik-postgres-pvc
+  namespace: authentik
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-postgres
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik-postgres
+  template:
+    metadata:
+      labels:
+        app: authentik-postgres
+    spec:
+      containers:
+      - name: postgres
+        image: postgres:16-alpine
+        env:
+        - name: POSTGRES_DB
+          value: authentik
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgres-secret
+              key: username
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgres-secret
+              key: password
+        ports:
+        - containerPort: 5432
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql/data
+      volumes:
+      - name: postgres-data
+        persistentVolumeClaim:
+          claimName: authentik-postgres-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-postgres
+  namespace: authentik
+spec:
+  selector:
+    app: authentik-postgres
+  ports:
+  - port: 5432
+    targetPort: 5432

deploy/authentik/03-redis.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-redis
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik-redis
+  template:
+    metadata:
+      labels:
+        app: authentik-redis
+    spec:
+      containers:
+      - name: redis
+        image: redis:alpine
+        ports:
+        - containerPort: 6379
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-redis
+  namespace: authentik
+spec:
+  selector:
+    app: authentik-redis
+  ports:
+  - port: 6379
+    targetPort: 6379

deploy/authentik/04-authentik-server.yaml

@@ -0,0 +1,121 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-secret
+  namespace: authentik
+type: Opaque
+stringData:
+  secret-key: "CHANGE_ME_GENERATE_RANDOM_KEY"  # Generate with: openssl rand -base64 32
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-server
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik-server
+  template:
+    metadata:
+      labels:
+        app: authentik-server
+    spec:
+      containers:
+      - name: authentik
+        image: ghcr.io/goauthentik/server:2024.8.3
+        args: ["server"]
+        env:
+        - name: AUTHENTIK_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: authentik-secret
+              key: secret-key
+        - name: AUTHENTIK_POSTGRESQL__HOST
+          value: authentik-postgres
+        - name: AUTHENTIK_POSTGRESQL__NAME
+          value: authentik
+        - name: AUTHENTIK_POSTGRESQL__USER
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgres-secret
+              key: username
+        - name: AUTHENTIK_POSTGRESQL__PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgres-secret
+              key: password
+        - name: AUTHENTIK_REDIS__HOST
+          value: authentik-redis
+        - name: AUTHENTIK_ERROR_REPORTING__ENABLED
+          value: "false"
+        - name: AUTHENTIK_BOOTSTRAP_PASSWORD
+          value: "vjb!@#"
+        - name: AUTHENTIK_BOOTSTRAP_EMAIL
+          value: "admin@vjailbreak.local"
+        - name: AUTHENTIK_BOOTSTRAP_TOKEN
+          value: "vjb!@#"
+        ports:
+        - containerPort: 9000
+          name: http
+        - containerPort: 9443
+          name: https
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-worker
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik-worker
+  template:
+    metadata:
+      labels:
+        app: authentik-worker
+    spec:
+      containers:
+      - name: authentik
+        image: ghcr.io/goauthentik/server:2024.8.3
+        args: ["worker"]
+        env:
+        - name: AUTHENTIK_SECRET_KEY
+          valueFrom:
+            secretKeyRef:
+              name: authentik-secret
+              key: secret-key
+        - name: AUTHENTIK_POSTGRESQL__HOST
+          value: authentik-postgres
+        - name: AUTHENTIK_POSTGRESQL__NAME
+          value: authentik
+        - name: AUTHENTIK_POSTGRESQL__USER
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgres-secret
+              key: username
+        - name: AUTHENTIK_POSTGRESQL__PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: authentik-postgres-secret
+              key: password
+        - name: AUTHENTIK_REDIS__HOST
+          value: authentik-redis
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-server
+  namespace: authentik
+spec:
+  selector:
+    app: authentik-server
+  ports:
+  - name: http
+    port: 9000
+    targetPort: 9000
+  - name: https
+    port: 9443
+    targetPort: 9443

deploy/authentik/05-ingress.yaml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik-ingress
+  namespace: authentik
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    # Disable auth for Authentik itself (it provides auth for others)
+    nginx.ingress.kubernetes.io/auth-url: ""
+    nginx.ingress.kubernetes.io/auth-signin: ""
+spec:
+  ingressClassName: nginx
+  rules:
+  - http:
+      paths:
+      - path: /authentik
+        pathType: Prefix
+        backend:
+          service:
+            name: authentik-server
+            port:
+              number: 9000
+---
+# NodePort service to expose Authentik on port 9000
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-nodeport
+  namespace: authentik
+spec:
+  type: NodePort
+  selector:
+    app: authentik-server
+  ports:
+  - port: 9000
+    targetPort: 9000
+    nodePort: 30900  # External port on the node
+    protocol: TCP

deploy/authentik/06-roles.yaml

@@ -0,0 +1,51 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vjailbreak-admin
+rules:
+- apiGroups: ["vjailbreak.k8s.pf9.io"]
+  resources: ["*"]
+  verbs: ["*"]
+- apiGroups: [""]
+  resources: ["secrets", "configmaps", "pods", "pods/log"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vjailbreak-operator
+rules:
+- apiGroups: ["vjailbreak.k8s.pf9.io"]
+  resources: 
+  - migrations
+  - migrationplans
+  - rollingmigrationplans
+  - esximigrations
+  - clustermigrations
+  verbs: ["get", "list", "watch", "create", "update", "patch"]
+- apiGroups: ["vjailbreak.k8s.pf9.io"]
+  resources:
+  - openstackcreds
+  - vmwarecreds
+  - networkmappings
+  - storagemappings
+  - migrationtemplates
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "create", "update"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vjailbreak-viewer
+rules:
+- apiGroups: ["vjailbreak.k8s.pf9.io"]
+  resources: ["*"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+  resources: ["pods", "pods/log"]
+  verbs: ["get", "list", "watch"]