diff --git a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml index e4b210d6d..c8b139038 100644 --- a/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml +++ b/clusters/cl01tl/helm/authentik/templates/reference-grant.yaml @@ -9,9 +9,30 @@ metadata: app.kubernetes.io/part-of: {{ .Release.Name }} spec: from: + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: lidarr + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-4k + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-anime + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: radarr-standup + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: sonarr - group: gateway.networking.k8s.io kind: HTTPRoute namespace: sonarr-4k + - group: gateway.networking.k8s.io + kind: HTTPRoute + namespace: sonarr-anime to: - group: "" kind: Service diff --git a/clusters/cl01tl/helm/lidarr/templates/middleware.yaml b/clusters/cl01tl/helm/lidarr/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/lidarr/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/lidarr/values.yaml b/clusters/cl01tl/helm/lidarr/values.yaml index b5ab49c22..41e62be04 100644 --- a/clusters/cl01tl/helm/lidarr/values.yaml +++ b/clusters/cl01tl/helm/lidarr/values.yaml @@ -84,12 +84,28 @@ lidarr: hostnames: - lidarr.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: lidarr port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml b/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr-4k/values.yaml b/clusters/cl01tl/helm/radarr-4k/values.yaml index 5033f8a82..607a68a55 100644 --- a/clusters/cl01tl/helm/radarr-4k/values.yaml +++ b/clusters/cl01tl/helm/radarr-4k/values.yaml @@ -84,12 +84,28 @@ radarr-4k: hostnames: - radarr-4k.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr-4k port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml b/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr-anime/values.yaml b/clusters/cl01tl/helm/radarr-anime/values.yaml index 4e1228b67..cfde8f7b2 100644 --- a/clusters/cl01tl/helm/radarr-anime/values.yaml +++ b/clusters/cl01tl/helm/radarr-anime/values.yaml @@ -82,12 +82,28 @@ radarr-anime: hostnames: - radarr-anime.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr-anime port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml b/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr-standup/values.yaml b/clusters/cl01tl/helm/radarr-standup/values.yaml index f7a6ce707..de4ebbd32 100644 --- a/clusters/cl01tl/helm/radarr-standup/values.yaml +++ b/clusters/cl01tl/helm/radarr-standup/values.yaml @@ -82,12 +82,28 @@ radarr-standup: hostnames: - radarr-standup.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr-standup port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/radarr/templates/middleware.yaml b/clusters/cl01tl/helm/radarr/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/radarr/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/radarr/values.yaml b/clusters/cl01tl/helm/radarr/values.yaml index ad11b5890..cd05e67da 100644 --- a/clusters/cl01tl/helm/radarr/values.yaml +++ b/clusters/cl01tl/helm/radarr/values.yaml @@ -84,12 +84,28 @@ radarr: hostnames: - radarr.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: radarr port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml b/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/sonarr-anime/values.yaml b/clusters/cl01tl/helm/sonarr-anime/values.yaml index 67c481f61..e4f5150cb 100644 --- a/clusters/cl01tl/helm/sonarr-anime/values.yaml +++ b/clusters/cl01tl/helm/sonarr-anime/values.yaml @@ -82,12 +82,28 @@ sonarr-anime: hostnames: - sonarr-anime.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: sonarr-anime port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/helm/sonarr/templates/middleware.yaml b/clusters/cl01tl/helm/sonarr/templates/middleware.yaml new file mode 100644 index 000000000..341764b57 --- /dev/null +++ b/clusters/cl01tl/helm/sonarr/templates/middleware.yaml @@ -0,0 +1,26 @@ +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: oidc-forward-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: oidc-forward-auth + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + forwardAuth: + address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/clusters/cl01tl/helm/sonarr/values.yaml b/clusters/cl01tl/helm/sonarr/values.yaml index e04c9ee1d..e5c60e4f4 100644 --- a/clusters/cl01tl/helm/sonarr/values.yaml +++ b/clusters/cl01tl/helm/sonarr/values.yaml @@ -82,12 +82,28 @@ sonarr: hostnames: - sonarr.alexlebens.net rules: + - backendRefs: + - name: ak-outpost-traefik-proxy-auth + namespace: authentik + port: 9000 + weight: 100 + filters: [] + matches: + - path: + type: PathPrefix + value: /outpost.goauthentik.io - backendRefs: - group: '' kind: Service name: sonarr port: 80 weight: 100 + filters: + - type: ExtensionRef + extensionRef: + group: traefik.io + kind: Middleware + name: oidc-forward-auth matches: - path: type: PathPrefix