diff --git a/clusters/cl01tl/manifests/authentik/ReferenceGrant-allow-outpost-cross-namespace-access.yaml b/clusters/cl01tl/manifests/authentik/ReferenceGrant-allow-outpost-cross-namespace-access.yaml index 3f9044c21..d394a4150 100644 --- a/clusters/cl01tl/manifests/authentik/ReferenceGrant-allow-outpost-cross-namespace-access.yaml +++ b/clusters/cl01tl/manifests/authentik/ReferenceGrant-allow-outpost-cross-namespace-access.yaml @@ -9,9 +9,30 @@ metadata: app.kubernetes.io/part-of: authentik spec: from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: lidarr + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-4k + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-anime + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-standup + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: sonarr - group: gateway.networking.k8s.io kind: HTTPRoute namespace: sonarr-4k + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: sonarr-anime to: - group: "" kind: Service diff --git a/clusters/cl01tl/manifests/lidarr/HTTPRoute-lidarr.yaml b/clusters/cl01tl/manifests/lidarr/HTTPRoute-lidarr.yaml index c58c7092d..e88308a38 100644 --- a/clusters/cl01tl/manifests/lidarr/HTTPRoute-lidarr.yaml +++ b/clusters/cl01tl/manifests/lidarr/HTTPRoute-lidarr.yaml @@ -17,6 +17,17 @@ spec: hostnames: - "lidarr.alexlebens.net" rules: + - backendRefs: + - group: "" + kind: Service + name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: "" kind: Service @@ -28,3 +39,9 @@ spec: - path: type: PathPrefix value: / + filters: + - extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth + type: ExtensionRef diff --git a/clusters/cl01tl/manifests/lidarr/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/lidarr/Middleware-oidc-forward-auth.yaml new file mode 100644 index 000000000..e2a77e191 --- /dev/null +++ b/clusters/cl01tl/manifests/lidarr/Middleware-oidc-forward-auth.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: lidarr + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: lidarr + app.kubernetes.io/part-of: lidarr +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/manifests/radarr-4k/HTTPRoute-radarr-4k.yaml b/clusters/cl01tl/manifests/radarr-4k/HTTPRoute-radarr-4k.yaml index b2584a1e4..7ff8d9820 100644 --- a/clusters/cl01tl/manifests/radarr-4k/HTTPRoute-radarr-4k.yaml +++ b/clusters/cl01tl/manifests/radarr-4k/HTTPRoute-radarr-4k.yaml @@ -17,6 +17,17 @@ spec: hostnames: - "radarr-4k.alexlebens.net" rules: + - backendRefs: + - group: "" + kind: Service + name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: "" kind: Service @@ -28,3 +39,9 @@ spec: - path: type: PathPrefix value: / + filters: + - extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth + type: ExtensionRef diff --git a/clusters/cl01tl/manifests/radarr-4k/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/radarr-4k/Middleware-oidc-forward-auth.yaml new file mode 100644 index 000000000..3b8f3d594 --- /dev/null +++ b/clusters/cl01tl/manifests/radarr-4k/Middleware-oidc-forward-auth.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: radarr-4k + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: radarr-4k + app.kubernetes.io/part-of: radarr-4k +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/manifests/radarr-anime/HTTPRoute-radarr-anime.yaml b/clusters/cl01tl/manifests/radarr-anime/HTTPRoute-radarr-anime.yaml index 3a841aa1d..3d98099ef 100644 --- a/clusters/cl01tl/manifests/radarr-anime/HTTPRoute-radarr-anime.yaml +++ b/clusters/cl01tl/manifests/radarr-anime/HTTPRoute-radarr-anime.yaml @@ -17,6 +17,17 @@ spec: hostnames: - "radarr-anime.alexlebens.net" rules: + - backendRefs: + - group: "" + kind: Service + name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: "" kind: Service @@ -28,3 +39,9 @@ spec: - path: type: PathPrefix value: / + filters: + - extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth + type: ExtensionRef diff --git a/clusters/cl01tl/manifests/radarr-anime/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/radarr-anime/Middleware-oidc-forward-auth.yaml new file mode 100644 index 000000000..984461317 --- /dev/null +++ b/clusters/cl01tl/manifests/radarr-anime/Middleware-oidc-forward-auth.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: radarr-anime + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: radarr-anime + app.kubernetes.io/part-of: radarr-anime +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/manifests/radarr-standup/HTTPRoute-radarr-standup.yaml b/clusters/cl01tl/manifests/radarr-standup/HTTPRoute-radarr-standup.yaml index 8ce1313c1..0151b8f1b 100644 --- a/clusters/cl01tl/manifests/radarr-standup/HTTPRoute-radarr-standup.yaml +++ b/clusters/cl01tl/manifests/radarr-standup/HTTPRoute-radarr-standup.yaml @@ -17,6 +17,17 @@ spec: hostnames: - "radarr-standup.alexlebens.net" rules: + - backendRefs: + - group: "" + kind: Service + name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: "" kind: Service @@ -28,3 +39,9 @@ spec: - path: type: PathPrefix value: / + filters: + - extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth + type: ExtensionRef diff --git a/clusters/cl01tl/manifests/radarr-standup/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/radarr-standup/Middleware-oidc-forward-auth.yaml new file mode 100644 index 000000000..c50544703 --- /dev/null +++ b/clusters/cl01tl/manifests/radarr-standup/Middleware-oidc-forward-auth.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: radarr-standup + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: radarr-standup + app.kubernetes.io/part-of: radarr-standup +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/manifests/radarr/HTTPRoute-radarr.yaml b/clusters/cl01tl/manifests/radarr/HTTPRoute-radarr.yaml index c35b94476..9a5116891 100644 --- a/clusters/cl01tl/manifests/radarr/HTTPRoute-radarr.yaml +++ b/clusters/cl01tl/manifests/radarr/HTTPRoute-radarr.yaml @@ -17,6 +17,17 @@ spec: hostnames: - "radarr.alexlebens.net" rules: + - backendRefs: + - group: "" + kind: Service + name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: "" kind: Service @@ -28,3 +39,9 @@ spec: - path: type: PathPrefix value: / + filters: + - extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth + type: ExtensionRef diff --git a/clusters/cl01tl/manifests/radarr/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/radarr/Middleware-oidc-forward-auth.yaml new file mode 100644 index 000000000..5888c373d --- /dev/null +++ b/clusters/cl01tl/manifests/radarr/Middleware-oidc-forward-auth.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: radarr + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: radarr + app.kubernetes.io/part-of: radarr +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/manifests/sonarr-anime/HTTPRoute-sonarr-anime.yaml b/clusters/cl01tl/manifests/sonarr-anime/HTTPRoute-sonarr-anime.yaml index 0b8a56183..1ac5724e4 100644 --- a/clusters/cl01tl/manifests/sonarr-anime/HTTPRoute-sonarr-anime.yaml +++ b/clusters/cl01tl/manifests/sonarr-anime/HTTPRoute-sonarr-anime.yaml @@ -17,6 +17,17 @@ spec: hostnames: - "sonarr-anime.alexlebens.net" rules: + - backendRefs: + - group: "" + kind: Service + name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: "" kind: Service @@ -28,3 +39,9 @@ spec: - path: type: PathPrefix value: / + filters: + - extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth + type: ExtensionRef diff --git a/clusters/cl01tl/manifests/sonarr-anime/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/sonarr-anime/Middleware-oidc-forward-auth.yaml new file mode 100644 index 000000000..0aa164b03 --- /dev/null +++ b/clusters/cl01tl/manifests/sonarr-anime/Middleware-oidc-forward-auth.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: sonarr-anime + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: sonarr-anime + app.kubernetes.io/part-of: sonarr-anime +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/manifests/sonarr/HTTPRoute-sonarr.yaml b/clusters/cl01tl/manifests/sonarr/HTTPRoute-sonarr.yaml index 455dd77fc..85969cf82 100644 --- a/clusters/cl01tl/manifests/sonarr/HTTPRoute-sonarr.yaml +++ b/clusters/cl01tl/manifests/sonarr/HTTPRoute-sonarr.yaml @@ -17,6 +17,17 @@ spec: hostnames: - "sonarr.alexlebens.net" rules: + - backendRefs: + - group: "" + kind: Service + name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: "" kind: Service @@ -28,3 +39,9 @@ spec: - path: type: PathPrefix value: / + filters: + - extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth + type: ExtensionRef diff --git a/clusters/cl01tl/manifests/sonarr/Middleware-oidc-forward-auth.yaml b/clusters/cl01tl/manifests/sonarr/Middleware-oidc-forward-auth.yaml new file mode 100644 index 000000000..748c857b6 --- /dev/null +++ b/clusters/cl01tl/manifests/sonarr/Middleware-oidc-forward-auth.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: sonarr + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: sonarr + app.kubernetes.io/part-of: sonarr +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version