trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/proxy: update ingress controller to work with k8s 1.22 

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-10-18 10:00:24 +02:00
parent e5906a4115
commit 98a56c77e3
3 changed files with 59 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Pipfile
View File

@ -26,9 +26,9 @@ drf-spectacular = "*"
facebook-sdk = "*" facebook-sdk = "*"
geoip2 = "*" geoip2 = "*"
gunicorn = "*" gunicorn = "*"
kubernetes = "*" kubernetes = "==v19.15.0b1"
ldap3 = "*" ldap3 = "*"
lxml = ">=4.6.3" lxml = "*"
packaging = "*" packaging = "*"
psycopg2-binary = "*" psycopg2-binary = "*"
pycryptodome = "*" pycryptodome = "*"
@ -52,7 +52,7 @@ codespell = "*"
[dev-packages] [dev-packages]
bandit = "*" bandit = "*"
black = "==21.5b1" black = "==21.9b0"
bump2version = "*" bump2version = "*"
colorama = "*" colorama = "*"
coverage = {extras = ["toml"],version = "*"} coverage = {extras = ["toml"],version = "*"}

31
Pipfile.lock generated
View File

@ -1,7 +1,7 @@
{ {
"_meta": { "_meta": {
"hash": { "hash": {
"sha256": "2928ad096a32a4ed1b96c4357a52bf111ca8b9000b86d9d1f2f1afb8318fab29" "sha256": "ca7c64798cac0dfeb6aa088d6bf0261895398db26c4769274b77ef974ee06501"
}, },
"pipfile-spec": 6, "pipfile-spec": 6,
"requires": {}, "requires": {},
@ -650,11 +650,11 @@
}, },
"kubernetes": { "kubernetes": {
"hashes": [ "hashes": [
"sha256:0c72d00e7883375bd39ae99758425f5e6cb86388417cf7cc84305c211b2192cf", "sha256:82d7d58f3e3b59fee227740e01af8d14e5d853d37cef6e71b4ee51a4f1a5d0d8",
"sha256:ff31ec17437293e7d4e1459f1228c42d27c7724dfb56b4868aba7a901a5b72c9" "sha256:b7fce8b8d8e92d8023929d83cdb5e6e381f99e905d4488533c05280e18a03ced"
], ],
"index": "pypi", "index": "pypi",
"version": "==18.20.0" "version": "==v19.15.0b1"
}, },
"ldap3": { "ldap3": {
"hashes": [ "hashes": [
@ -1527,13 +1527,6 @@
} }
}, },
"develop": { "develop": {
"appdirs": {
"hashes": [
"sha256:7d5d0167b2b1ba821647616af46a749d1c653740dd0d2415100fe26e27afdf41",
"sha256:a841dacd6b99318a741b166adb07e19ee71a274450e68237b4650ca1055ab128"
],
"version": "==1.4.4"
},
"astroid": { "astroid": {
"hashes": [ "hashes": [
"sha256:0e361da0744d5011d4f5d57e64473ba9b7ab4da1e2d45d6631ebd67dd28c3cce", "sha256:0e361da0744d5011d4f5d57e64473ba9b7ab4da1e2d45d6631ebd67dd28c3cce",
@ -1568,11 +1561,11 @@
}, },
"black": { "black": {
"hashes": [ "hashes": [
"sha256:23695358dbcb3deafe7f0a3ad89feee5999a46be5fec21f4f1d108be0bcdb3b1", "sha256:380f1b5da05e5a1429225676655dddb96f5ae8c75bdf91e53d798871b902a115",
"sha256:8a60071a0043876a4ae96e6c69bd3a127dad2c1ca7c8083573eb82f92705d008" "sha256:7de4cfc7eb6b710de325712d40125689101d21d25283eed7e9998722cf10eb91"
], ],
"index": "pypi", "index": "pypi",
"version": "==21.5b1" "version": "==21.9b0"
}, },
"bump2version": { "bump2version": {
"hashes": [ "hashes": [
@ -1778,7 +1771,7 @@
"sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899", "sha256:9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899",
"sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2" "sha256:e17d6e2b81095c9db0a03a8025a957f334d6ea30b26f9ec70805411e5c7c81f2"
], ],
"markers": "python_version < '4.0' and python_full_version >= '3.6.1'", "markers": "python_version < '4' and python_full_version >= '3.6.1'",
"version": "==5.9.3" "version": "==5.9.3"
}, },
"lazy-object-proxy": { "lazy-object-proxy": {
@ -2125,6 +2118,14 @@
"markers": "python_version >= '3.5'", "markers": "python_version >= '3.5'",
"version": "==0.9.2" "version": "==0.9.2"
}, },
"typing-extensions": {
"hashes": [
"sha256:49f75d16ff11f1cd258e1b988ccff82a3ca5570217d7ad8c5f48205dd99a677e",
"sha256:d8226d10bc02a29bcc81df19a26e56a9647f8b0a6d4a83924139f4a8b01f17b7",
"sha256:f1d25edafde516b146ecd0613dabcc61409817af4766fbbcfb8d1ad4ec441a34"
],
"version": "==3.10.0.2"
},
"urllib3": { "urllib3": {
"extras": [ "extras": [
"secure" "secure"

72
authentik/providers/proxy/controllers/k8s/ingress.py
View File

@ -3,15 +3,17 @@ from typing import TYPE_CHECKING
from urllib.parse import urlparse from urllib.parse import urlparse
from kubernetes.client import ( from kubernetes.client import (
NetworkingV1beta1Api, NetworkingV1Api,
NetworkingV1beta1HTTPIngressPath, V1HTTPIngressPath,
NetworkingV1beta1HTTPIngressRuleValue, V1HTTPIngressRuleValue,
NetworkingV1beta1Ingress, V1Ingress,
NetworkingV1beta1IngressBackend, V1IngressSpec,
NetworkingV1beta1IngressSpec, V1IngressTLS,
NetworkingV1beta1IngressTLS, V1ServiceBackendPort,
) )
from kubernetes.client.models.networking_v1beta1_ingress_rule import NetworkingV1beta1IngressRule from kubernetes.client.models.v1_ingress_backend import V1IngressBackend
from kubernetes.client.models.v1_ingress_rule import V1IngressRule
from kubernetes.client.models.v1_ingress_service_backend import V1IngressServiceBackend
from authentik.outposts.controllers.base import FIELD_MANAGER from authentik.outposts.controllers.base import FIELD_MANAGER
from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
@ -22,14 +24,14 @@ if TYPE_CHECKING:
from authentik.outposts.controllers.kubernetes import KubernetesController from authentik.outposts.controllers.kubernetes import KubernetesController
class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]): class IngressReconciler(KubernetesObjectReconciler[V1Ingress]):
"""Kubernetes Ingress Reconciler""" """Kubernetes Ingress Reconciler"""
def __init__(self, controller: "KubernetesController") -> None: def __init__(self, controller: "KubernetesController") -> None:
super().__init__(controller) super().__init__(controller)
self.api = NetworkingV1beta1Api(controller.client) self.api = NetworkingV1Api(controller.client)
def _check_annotations(self, reference: NetworkingV1beta1Ingress): def _check_annotations(self, reference: V1Ingress):
"""Check that all annotations *we* set are correct""" """Check that all annotations *we* set are correct"""
for key, value in self.get_ingress_annotations().items(): for key, value in self.get_ingress_annotations().items():
if key not in reference.metadata.annotations: if key not in reference.metadata.annotations:
@ -37,7 +39,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
if reference.metadata.annotations[key] != value: if reference.metadata.annotations[key] != value:
raise NeedsUpdate() raise NeedsUpdate()
def reconcile(self, current: NetworkingV1beta1Ingress, reference: NetworkingV1beta1Ingress): def reconcile(self, current: V1Ingress, reference: V1Ingress):
super().reconcile(current, reference) super().reconcile(current, reference)
self._check_annotations(reference) self._check_annotations(reference)
# Create a list of all expected host and tls hosts # Create a list of all expected host and tls hosts
@ -93,7 +95,7 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations) annotations.update(self.controller.outpost.config.kubernetes_ingress_annotations)
return annotations return annotations
def get_reference_object(self) -> NetworkingV1beta1Ingress: def get_reference_object(self) -> V1Ingress:
"""Get deployment object for outpost""" """Get deployment object for outpost"""
meta = self.get_object_meta( meta = self.get_object_meta(
name=self.name, name=self.name,
@ -112,31 +114,37 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
ProxyMode.FORWARD_SINGLE, ProxyMode.FORWARD_SINGLE,
ProxyMode.FORWARD_DOMAIN, ProxyMode.FORWARD_DOMAIN,
]: ]:
rule = NetworkingV1beta1IngressRule( rule = V1IngressRule(
host=external_host_name.hostname, host=external_host_name.hostname,
http=NetworkingV1beta1HTTPIngressRuleValue( http=V1HTTPIngressRuleValue(
paths=[ paths=[
NetworkingV1beta1HTTPIngressPath( V1HTTPIngressPath(
backend=NetworkingV1beta1IngressBackend( backend=V1IngressBackend(
service_name=self.name, service=V1IngressServiceBackend(
service_port="http", name=self.name,
port=V1ServiceBackendPort(name="http"),
),
), ),
path="/akprox", path="/akprox",
path_type="ImplementationSpecific",
) )
] ]
), ),
) )
else: else:
rule = NetworkingV1beta1IngressRule( rule = V1IngressRule(
host=external_host_name.hostname, host=external_host_name.hostname,
http=NetworkingV1beta1HTTPIngressRuleValue( http=V1HTTPIngressRuleValue(
paths=[ paths=[
NetworkingV1beta1HTTPIngressPath( V1HTTPIngressPath(
backend=NetworkingV1beta1IngressBackend( backend=V1IngressBackend(
service_name=self.name, service=V1IngressServiceBackend(
service_port="http", name=self.name,
port=V1ServiceBackendPort(name="http"),
),
), ),
path="/", path="/",
path_type="ImplementationSpecific",
) )
] ]
), ),
@ -144,16 +152,16 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
rules.append(rule) rules.append(rule)
tls_config = None tls_config = None
if tls_hosts: if tls_hosts:
tls_config = NetworkingV1beta1IngressTLS( tls_config = V1IngressTLS(
hosts=tls_hosts, hosts=tls_hosts,
secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name, secret_name=self.controller.outpost.config.kubernetes_ingress_secret_name,
) )
return NetworkingV1beta1Ingress( return V1Ingress(
metadata=meta, metadata=meta,
spec=NetworkingV1beta1IngressSpec(rules=rules, tls=[tls_config]), spec=V1IngressSpec(rules=rules, tls=[tls_config]),
) )
def create(self, reference: NetworkingV1beta1Ingress): def create(self, reference: V1Ingress):
if len(reference.spec.rules) < 1: if len(reference.spec.rules) < 1:
self.logger.debug("No hosts defined, not creating ingress.") self.logger.debug("No hosts defined, not creating ingress.")
return None return None
@ -161,13 +169,13 @@ class IngressReconciler(KubernetesObjectReconciler[NetworkingV1beta1Ingress]):
self.namespace, reference, field_manager=FIELD_MANAGER self.namespace, reference, field_manager=FIELD_MANAGER
) )
def delete(self, reference: NetworkingV1beta1Ingress): def delete(self, reference: V1Ingress):
return self.api.delete_namespaced_ingress(reference.metadata.name, self.namespace) return self.api.delete_namespaced_ingress(reference.metadata.name, self.namespace)
def retrieve(self) -> NetworkingV1beta1Ingress: def retrieve(self) -> V1Ingress:
return self.api.read_namespaced_ingress(self.name, self.namespace) return self.api.read_namespaced_ingress(self.name, self.namespace)
def update(self, current: NetworkingV1beta1Ingress, reference: NetworkingV1beta1Ingress): def update(self, current: V1Ingress, reference: V1Ingress):
return self.api.patch_namespaced_ingress( return self.api.patch_namespaced_ingress(
current.metadata.name, current.metadata.name,
self.namespace, self.namespace,