Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(charts/authentik): add blueprints-sidecar to collect from cluster #146

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

genofire
Copy link
Contributor

@genofire genofire commented Apr 6, 2023

fix:

Helm values:

serviceAccount:
  create: true
sidecar:
  blueprints:
    enabled: true
    namespace: "ALL" <1>

<1> normally just current namespace

Collects ConfigMaps and Secrets based on label and put them into goauthentik, here an example ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: goauthentik-blueprint-sidecar-test
  namespace: "default"
  labels:
    goauthentik_blueprint: "1"
data:
  test.yaml: |-
    version: 1
    metadata:
      name: sidecar-test
    entries: []

@genofire genofire force-pushed the feat/blueprints-sidecar branch 3 times, most recently from ecf0dce to 779cd53 Compare April 6, 2023 00:35
@genofire genofire marked this pull request as ready for review April 6, 2023 00:42
@genofire genofire force-pushed the feat/blueprints-sidecar branch 2 times, most recently from e029b1d to 9a2529a Compare April 6, 2023 07:29
@genofire
Copy link
Contributor Author

@BeryJu please review

@genofire genofire force-pushed the feat/blueprints-sidecar branch 4 times, most recently from ab19593 to e0050a0 Compare April 18, 2023 15:16
@genofire
Copy link
Contributor Author

genofire commented Apr 18, 2023

@BeryJu i do not know where this CI error cames from:

Error: INSTALLATION FAILED: serviceaccounts "authentik-q63g50s5tb" already exists

@genofire genofire force-pushed the feat/blueprints-sidecar branch 4 times, most recently from 122c5c1 to 7be14dd Compare April 18, 2023 17:14
@genofire
Copy link
Contributor Author

solved

@benedikt-bartscher
Copy link

#156

@genofire
Copy link
Contributor Author

thanks @benedikt-bartscher i will add the sidecar to all component

@genofire genofire force-pushed the feat/blueprints-sidecar branch from 7be14dd to 521f6f2 Compare May 14, 2023 14:28
@genofire
Copy link
Contributor Author

done - lets review again

@holmesb
Copy link

holmesb commented May 30, 2024

I can vouch that this sidecar works as expected. Nice work @genofire. New configmaps with label goauthentik_blueprint: "1" and:

data:
  blueprint_test.yaml: |
    <blueprint yaml>

(or any other yaml filename) result in blueprint in Authentik. Deletion of configmap removes from Authentik. Be great to get this merged. I've not tried the operator, but this seems a lower-effort way to deliver gitops blueprints. CRD & controller will have to be kept up-to-date with the blueprint spec. This is lower maintenance.

@holmesb
Copy link

holmesb commented Jun 5, 2024

Only downside is blueprints containing secrets referred to using env var tag eg !Env <app>_client_secret don't get updated. When these env vars are mounted using helm chart value: worker.envFrom[0].secretRef.name: <my_k8_secret_containing_env_vars_to_mount_in_authentik_worker> and this secret is updated (eg an oauth client_secret is changed), the env vars mounted don't change until worker restart, nor does the blueprint get reloaded and update the Authentik construct defined in the blueprint. I guess the solution would be for this sidecar to watch for changes to the worker.envFrom[0].secretRef.name secret, and reload blueprints when it does. Happy to break this out into a separate issue, as sidecar needs to be implemented first!

@genofire
Copy link
Contributor Author

you could store the blueprint in a kubernetes Secret eigther (instatt of ConfigMap).

So your secrets are stored secure.

For your problem, maybe there could this operator works reloader

@holmesb
Copy link

holmesb commented Jun 18, 2024

Good suggestions. Long story, but need to stick with configMaps and !Env <my_env_var>. Reloader now rolling-restarts my worker pods when the secret that defines env vars changes, and I'm patching the worker deployment so it runs ak apply_blueprint to apply sidecar blueprints at startup (which have access to new env vars). When this PR is merged, I'll create a new PR, as I think applying blueprints at startup will be useful as an option beyond this use-case to prevent drift. Maybe worker.applySidecarBlueprintsAtStartup: true\false, with default of false?

Nearly gitops Authentik :-) Just need resources created by deleted blueprints to be cleaned up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants