Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

how to get kubernetes outposts working #294

Open
hydazz opened this issue Oct 28, 2024 · 1 comment
Open

how to get kubernetes outposts working #294

hydazz opened this issue Oct 28, 2024 · 1 comment

Comments

@hydazz
Copy link

hydazz commented Oct 28, 2024
edited
Loading

I have tried for ages to get kubernetes outpost integration working; from my understanding the authentik-remote-cluster is required even in same cluster deployment? and this manages the outposts?

I have tried to deploy the remote cluster, but its not deploying. looking at the condition set serviceaccount.create should deploy the authentik-remote-cluster chart?
I've set

    serviceAccount:
      create: true

but it does nothing.
Other than deploying the remote cluster outside of my existing authentik template if its acutally needed, i cannot find much documentation on this...

My main goal is just to get the outpost integration working, apologies if im just being supid here
my entire authentik deployment:

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
    name: authentik
    namespace: authentik
spec:
    interval: 5m
    install:
        createNamespace: true
        crds: CreateReplace
        remediation:
            retries: 3
    upgrade:
        crds: CreateReplace
        remediation:
            retries: 3
    chart:
        spec:
            chart: authentik
            version: 2024.8.3
            interval: 5m
            sourceRef:
                kind: HelmRepository
                name: authentik
                namespace: flux-system
    values:
        global:
            deploymentStrategy:
                type: Recreate
        authentik:
            secret_key: ENC[AES256_GCM,data:B5hUuUQKFL3zUwD69NLL+p6IVEYaweNmh4XakTwRgTUxmkocVaGIaGFbzL8w3qxvtgk=,iv:OIlXI8Tjuv5GXGRnMjg/jjZMs3eoSALSsi0StW1XLGE=,tag:xTgE/SnFnrx/yZyQ4WU3LQ==,type:str]
            postgresql:
                host: postgresql.database.svc.cluster.local
                user: authentik
                password: ENC[AES256_GCM,data:BoopI8eH+JItscXXbkY=,iv:Zf2IB/DfPcFl/61WNQt0+A0BIU1Oz4GmXWMhCLtxDu4=,tag:V/1wvCsdS9+PwTFOxjks8Q==,type:str]
            email:
                host: mail.domain.com
                port: "587"
                username: [email protected]
                password: ENC[AES256_GCM,data:d3rNh+xHFeBmGrPY3PCG4Q==,iv:Ia6h8IMDbMSuLkmDFaw9Be8KsCkw6JNsmuY/8I0Pv2M=,tag:Rgegk8kGRcAipywViP+moA==,type:str]
                use_tls: true
                timeout: "30"
                from: [email protected]
        server:
            ingress:
                enabled: true
                ingressClassName: external-nginx
                hosts:
                    - auth.domain.com
                tls:
                    - secretName: wildcard.domain.com
                      hosts:
                        - auth.domain.com
            podAnnotations:
                backup.velero.io/backup-volumes: media
            volumes:
                - name: media
                  persistentVolumeClaim:
                    claimName: authentik-media-pvc
                - name: custom-css
                  configMap:
                    name: authentik-custom-css
            volumeMounts:
                - name: media
                  mountPath: /media
                - name: custom-css
                  mountPath: /web/dist/custom.css
                  subPath: custom.css
        serviceAccount:
            create: true
        postgresql:
            enabled: false
        redis:
            enabled: true
            master:
                persistence:
                    size: 128Mi
        authentik-remote-cluster: # shot in the dark
            clusterRole:
                enabled: true
@mike-pisman
Copy link

Hi, not sure if you resolved the issue, but authentik-remote-cluster is only needed if your kubernetes cluster is not running locally. In this case, you would uncheck "Local Cluster" and copy your k8s config.

Assuming your cluster is local, go to Authentik UI > System > Outpost Integrations and check the k8s integration is working. If there are none, create one with Local Cluster check. With working integration, you should be able to go to Applications > Outposts and create a new Outpost. For integration option, select your local cluster, this will make Authentik communicate with your k8s and create some resources: outpost pod, ingress, service, secrets, etc.

Attention

If your cluster shows as unhealthy, this might be related to the goauthentik/authentik#12464 (comment)

Simply specify the development branch for now for your server and worker, and 2024.10(latest is 2024.10.5) image for outposts.

global:
  image:
    repository: ghcr.io/goauthentik/dev-server
    tag: gh-version-2024.12

authentik:
  outposts:
    # -- Template used for managed outposts. The following placeholders can be used
    # %(type)s - the type of the outpost
    # %(version)s - version of your authentik install
    # %(build_hash)s - only for beta versions, the build hash of the image
    # container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
    container_image_base: ghcr.io/goauthentik/%(type)s:2024.10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hydazz @mike-pisman