homelab/operator
1
0
Fork 0
mirror of https://github.com/morten-olsen/homelab-operator.git synced 2026-02-08 01:36:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

lot of updates

Browse Source
This commit is contained in:
Morten Olsen
2025-08-01 14:40:16 +02:00
parent a25e0b9ffb
commit 26b58a59c0
16 changed files with 694 additions and 435 deletions
Download Patch File Download Diff File Expand all files Collapse all files

225
src/services/authentik/authentik.instance.ts Normal file
View File

@@ -0,0 +1,225 @@
import { createAuthentikClient, type AuthentikClient } from '../../clients/authentik/authentik.ts';
import type { Services } from '../../utils/service.ts';
import type { AuthentikServerInfo, UpsertClientRequest, UpsertGroupRequest } from './authentik.types.ts';
type AuthentikInstanceOptions = {
info: AuthentikServerInfo;
services: Services;
};
const DEFAULT_AUTHORIZATION_FLOW = 'default-provider-authorization-implicit-consent';
const DEFAULT_INVALIDATION_FLOW = 'default-invalidation-flow';
const DEFAULT_SCOPES = ['openid', 'email', 'profile', 'offline_access'];
class AuthentikInstance {
#options: AuthentikInstanceOptions;
#client: AuthentikClient;
constructor(options: AuthentikInstanceOptions) {
this.#options = options;
const baseUrl = new URL('/api/v3', options.info.url.internal).toString();
options.services.log.debug('Using Authentik base URL', { baseUrl });
this.#client = createAuthentikClient({
baseUrl,
token: options.info.token,
});
}
#upsertApplication = async (request: UpsertClientRequest, provider: number, pk?: string) => {
const client = this.#client;
if (!pk) {
return await client.core.coreApplicationsCreate({
applicationRequest: {
name: request.name,
slug: request.name,
provider,
},
});
}
return await client.core.coreApplicationsUpdate({
slug: request.name,
applicationRequest: {
name: request.name,
slug: request.name,
provider,
},
});
};
#upsertProvider = async (request: UpsertClientRequest, pk?: number) => {
const flows = await this.getFlows();
const authorizationFlow = flows.results.find(
(flow) => flow.slug === (request.flows?.authorization ?? DEFAULT_AUTHORIZATION_FLOW),
);
const invalidationFlow = flows.results.find(
(flow) => flow.slug === (request.flows?.invalidation ?? DEFAULT_INVALIDATION_FLOW),
);
if (!authorizationFlow || !invalidationFlow) {
throw new Error('Authorization and invalidation flows not found');
}
const scopes = await this.getScopePropertyMappings();
const scopePropertyMapping = (request.scopes ?? DEFAULT_SCOPES)
.map((scope) => scopes.results.find((mapping) => mapping.scopeName === scope)?.pk)
.filter(Boolean) as string[];
const client = this.#client;
if (!pk) {
return await client.providers.providersOauth2Create({
oAuth2ProviderRequest: {
name: request.name,
clientId: request.name,
clientSecret: request.secret,
redirectUris: request.redirectUris,
authorizationFlow: authorizationFlow.pk,
invalidationFlow: invalidationFlow.pk,
propertyMappings: scopePropertyMapping,
clientType: request.clientType,
subMode: request.subMode,
accessCodeValidity: request.timing?.accessCodeValidity,
accessTokenValidity: request.timing?.accessTokenValidity,
refreshTokenValidity: request.timing?.refreshTokenValidity,
},
});
}
return await client.providers.providersOauth2Update({
id: pk,
oAuth2ProviderRequest: {
name: request.name,
clientId: request.name,
clientSecret: request.secret,
redirectUris: request.redirectUris,
authorizationFlow: authorizationFlow.pk,
invalidationFlow: invalidationFlow.pk,
propertyMappings: scopePropertyMapping,
clientType: request.clientType,
subMode: request.subMode,
accessCodeValidity: request.timing?.accessCodeValidity,
accessTokenValidity: request.timing?.accessTokenValidity,
refreshTokenValidity: request.timing?.refreshTokenValidity,
},
});
};
public getGroupFromName = async (name: string) => {
const client = this.#client;
const groups = await client.core.coreGroupsList({
search: name,
});
return groups.results.find((group) => group.name === name);
};
public getScopePropertyMappings = async () => {
const client = this.#client;
const mappings = await client.propertymappings.propertymappingsProviderScopeList({});
return mappings;
};
public getApplicationFromSlug = async (slug: string) => {
const client = this.#client;
const applications = await client.core.coreApplicationsList({
search: slug,
});
const application = applications.results.find((app) => app.slug === slug);
return application;
};
public getProviderFromClientId = async (clientId: string) => {
const client = this.#client;
const providers = await client.providers.providersOauth2List({
clientId,
});
return providers.results.find((provider) => provider.clientId === clientId);
};
public getFlows = async () => {
const client = this.#client;
const flows = await client.flows.flowsInstancesList();
return flows;
};
public upsertClient = async (request: UpsertClientRequest) => {
const url = this.#options.info.url.external;
try {
let provider = await this.getProviderFromClientId(request.name);
provider = await this.#upsertProvider(request, provider?.pk);
let application = await this.getApplicationFromSlug(request.name);
application = await this.#upsertApplication(request, provider.pk, application?.pk);
const config = {
provider: {
id: provider.pk,
name: provider.name,
clientId: provider.clientId,
clientSecret: provider.clientSecret,
clientType: provider.clientType,
subMode: provider.subMode,
redirectUris: provider.redirectUris,
scopes: provider.propertyMappings,
timing: {
accessCodeValidity: provider.accessCodeValidity,
accessTokenValidity: provider.accessTokenValidity,
refreshTokenValidity: provider.refreshTokenValidity,
},
},
application: {
id: application.pk,
name: application.name,
slug: application.slug,
provider: provider.pk,
},
urls: {
configuration: new URL(`/application/o/${provider.name}/.well-known/openid-configuration`, url).toString(),
configurationIssuer: new URL(`/application/o/${provider.name}/`, url).toString(),
authorization: new URL(`/application/o/${provider.name}/authorize/`, url).toString(),
token: new URL(`/application/o/${provider.name}/token/`, url).toString(),
userinfo: new URL(`/application/o/${provider.name}/userinfo/`, url).toString(),
endSession: new URL(`/application/o/${provider.name}/end-session/`, url).toString(),
jwks: new URL(`/application/o/${provider.name}/jwks/`, url).toString(),
},
};
return { provider, application, config };
} catch (error: ExpectedAny) {
if ('response' in error) {
throw new Error(await error.response.text());
}
throw error;
}
};
public deleteClient = async (name: string) => {
const provider = await this.getProviderFromClientId(name);
const client = this.#client;
if (provider) {
await client.providers.providersOauth2Destroy({ id: provider.pk });
}
const application = await this.getApplicationFromSlug(name);
if (application) {
await client.core.coreApplicationsDestroy({ slug: application.name });
}
};
public upsertGroup = async (request: UpsertGroupRequest) => {
const group = await this.getGroupFromName(request.name);
const client = this.#client;
if (!group) {
await client.core.coreGroupsCreate({
groupRequest: {
name: request.name,
attributes: request.attributes,
},
});
} else {
await client.core.coreGroupsUpdate({
groupUuid: group.pk,
groupRequest: {
name: request.name,
attributes: request.attributes,
},
});
}
};
}
export { AuthentikInstance, type AuthentikInstanceOptions };

228
src/services/authentik/authentik.service.ts
View File

@@ -1,237 +1,21 @@
import type { Services } from '../../utils/service.ts';
import { createAuthentikClient, type AuthentikClient } from '../../clients/authentik/authentik.ts';
import type { UpsertClientRequest, UpsertGroupRequest } from './authentik.types.ts';
import { setupAuthentik } from './authentik.setup.ts';
const DEFAULT_AUTHORIZATION_FLOW = 'default-provider-authorization-implicit-consent';
const DEFAULT_INVALIDATION_FLOW = 'default-invalidation-flow';
const DEFAULT_SCOPES = ['openid', 'email', 'profile', 'offline_access'];
import type { AuthentikServerInfo } from './authentik.types.ts';
import { AuthentikInstance } from './authentik.instance.ts';
class AuthentikService {
#services: Services;
#init?: Promise<AuthentikClient>;
constructor(services: Services) {
this.#services = services;
}
public getPublicUrl = async () => {
return '';
};
#getClient = () => {
if (!this.#init) {
this.#init = this.#create();
}
return this.#init;
};
#upsertApplication = async (request: UpsertClientRequest, provider: number, pk?: string) => {
const client = await this.#getClient();
if (!pk) {
return await client.core.coreApplicationsCreate({
applicationRequest: {
name: request.name,
slug: request.name,
provider,
},
});
}
return await client.core.coreApplicationsUpdate({
slug: request.name,
applicationRequest: {
name: request.name,
slug: request.name,
provider,
},
public get = async (info: AuthentikServerInfo) => {
return new AuthentikInstance({
info,
services: this.#services,
});
};
#upsertProvider = async (request: UpsertClientRequest, pk?: number) => {
const flows = await this.getFlows();
const authorizationFlow = flows.results.find(
(flow) => flow.slug === (request.flows?.authorization ?? DEFAULT_AUTHORIZATION_FLOW),
);
const invalidationFlow = flows.results.find(
(flow) => flow.slug === (request.flows?.invalidation ?? DEFAULT_INVALIDATION_FLOW),
);
if (!authorizationFlow || !invalidationFlow) {
throw new Error('Authorization and invalidation flows not found');
}
const scopes = await this.getScopePropertyMappings();
const scopePropertyMapping = (request.scopes ?? DEFAULT_SCOPES)
.map((scope) => scopes.results.find((mapping) => mapping.scopeName === scope)?.pk)
.filter(Boolean) as string[];
const client = await this.#getClient();
if (!pk) {
return await client.providers.providersOauth2Create({
oAuth2ProviderRequest: {
name: request.name,
clientId: request.name,
clientSecret: request.secret,
redirectUris: request.redirectUris,
authorizationFlow: authorizationFlow.pk,
invalidationFlow: invalidationFlow.pk,
propertyMappings: scopePropertyMapping,
clientType: request.clientType,
subMode: request.subMode,
accessCodeValidity: request.timing?.accessCodeValidity,
accessTokenValidity: request.timing?.accessTokenValidity,
refreshTokenValidity: request.timing?.refreshTokenValidity,
},
});
}
return await client.providers.providersOauth2Update({
id: pk,
oAuth2ProviderRequest: {
name: request.name,
clientId: request.name,
clientSecret: request.secret,
redirectUris: request.redirectUris,
authorizationFlow: authorizationFlow.pk,
invalidationFlow: invalidationFlow.pk,
propertyMappings: scopePropertyMapping,
clientType: request.clientType,
subMode: request.subMode,
accessCodeValidity: request.timing?.accessCodeValidity,
accessTokenValidity: request.timing?.accessTokenValidity,
refreshTokenValidity: request.timing?.refreshTokenValidity,
},
});
};
#create = async () => {
const { url, token } = await setupAuthentik(this.#services);
return createAuthentikClient({
baseUrl: new URL('api/v3', url).toString(),
token: token,
});
};
public getGroupFromName = async (name: string) => {
const client = await this.#getClient();
const groups = await client.core.coreGroupsList({
search: name,
});
return groups.results.find((group) => group.name === name);
};
public getScopePropertyMappings = async () => {
const client = await this.#getClient();
const mappings = await client.propertymappings.propertymappingsProviderScopeList({});
return mappings;
};
public getApplicationFromSlug = async (slug: string) => {
const client = await this.#getClient();
const applications = await client.core.coreApplicationsList({
search: slug,
});
const application = applications.results.find((app) => app.slug === slug);
return application;
};
public getProviderFromClientId = async (clientId: string) => {
const client = await this.#getClient();
const providers = await client.providers.providersOauth2List({
clientId,
});
return providers.results.find((provider) => provider.clientId === clientId);
};
public getFlows = async () => {
const client = await this.#getClient();
const flows = await client.flows.flowsInstancesList();
return flows;
};
public upsertClient = async (request: UpsertClientRequest) => {
const url = await this.getPublicUrl();
try {
let provider = await this.getProviderFromClientId(request.name);
provider = await this.#upsertProvider(request, provider?.pk);
let application = await this.getApplicationFromSlug(request.name);
application = await this.#upsertApplication(request, provider.pk, application?.pk);
const config = {
provider: {
id: provider.pk,
name: provider.name,
clientId: provider.clientId,
clientSecret: provider.clientSecret,
clientType: provider.clientType,
subMode: provider.subMode,
redirectUris: provider.redirectUris,
scopes: provider.propertyMappings,
timing: {
accessCodeValidity: provider.accessCodeValidity,
accessTokenValidity: provider.accessTokenValidity,
refreshTokenValidity: provider.refreshTokenValidity,
},
},
application: {
id: application.pk,
name: application.name,
slug: application.slug,
provider: provider.pk,
},
urls: {
configuration: new URL(`/application/o/${provider.name}/.well-known/openid-configuration`, url).toString(),
configurationIssuer: new URL(`/application/o/${provider.name}/`, url).toString(),
authorization: new URL(`/application/o/${provider.name}/authorize/`, url).toString(),
token: new URL(`/application/o/${provider.name}/token/`, url).toString(),
userinfo: new URL(`/application/o/${provider.name}/userinfo/`, url).toString(),
endSession: new URL(`/application/o/${provider.name}/end-session/`, url).toString(),
jwks: new URL(`/application/o/${provider.name}/jwks/`, url).toString(),
},
};
return { provider, application, config };
} catch (error: ExpectedAny) {
if ('response' in error) {
throw new Error(await error.response.text());
}
throw error;
}
};
public deleteClient = async (name: string) => {
const provider = await this.getProviderFromClientId(name);
const client = await this.#getClient();
if (provider) {
await client.providers.providersOauth2Destroy({ id: provider.pk });
}
const application = await this.getApplicationFromSlug(name);
if (application) {
await client.core.coreApplicationsDestroy({ slug: application.name });
}
};
public upsertGroup = async (request: UpsertGroupRequest) => {
const group = await this.getGroupFromName(request.name);
const client = await this.#getClient();
if (!group) {
await client.core.coreGroupsCreate({
groupRequest: {
name: request.name,
attributes: request.attributes,
},
});
} else {
await client.core.coreGroupsUpdate({
groupUuid: group.pk,
groupRequest: {
name: request.name,
attributes: request.attributes,
},
});
}
};
public ready = async () => {
await this.#getClient();
};
}
export { AuthentikService };

135
src/services/authentik/authentik.setup.ts
View File

@@ -1,135 +0,0 @@
import { NAMESPACE } from '../../utils/consts.ts';
import type { Services } from '../../utils/service.ts';
import { K8sService } from '../k8s.ts';
import { PostgresService } from '../postgres/postgres.service.ts';
const SECRET = 'WkE/MDsSCe7TyIPtx/16/rwQ3XyyY9QsM450mXZklhR545PZPFoXcfrBhnxYB5jzlIwTmkg7Opgm0FDl'; // TODO: Generate and store
const setupAuthentik = async (services: Services) => {
const namespace = NAMESPACE;
const db = {
name: 'homelab_authentik',
user: 'homelab_authentik',
password: 'sdf908sad0sdf7g98',
};
const k8sService = services.get(K8sService);
const postgresService = services.get(PostgresService);
await postgresService.upsertRole({
name: db.user,
password: db.password,
});
await postgresService.upsertDatabase({
name: db.name,
owner: db.user,
});
const createManifest = (command: string) => ({
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: `authentik-${command}`,
namespace: namespace,
labels: {
'app.kubernetes.io/name': `authentik-${command}`,
'argocd.argoproj.io/instance': 'homelab',
},
},
spec: {
replicas: 1,
selector: {
matchLabels: {
'app.kubernetes.io/name': `authentik-${command}`,
},
},
template: {
metadata: {
labels: {
'app.kubernetes.io/name': `authentik-${command}`,
},
},
spec: {
containers: [
{
name: `authentik-${command}`,
image: 'ghcr.io/goauthentik/server:2025.6.4',
// imagePullPolicy: 'ifNot'
args: [command],
env: [
{ name: 'AUTHENTIK_SECRET_KEY', value: SECRET },
{ name: 'AUTHENTIK_POSTGRESQL__HOST', value: 'postgres-postgresql.postgres.svc.cluster.local' },
{
name: 'AUTHENTIK_POSTGRESQL__PORT',
value: '5432',
},
{
name: 'AUTHENTIK_POSTGRESQL__NAME',
value: db.name,
},
{
name: 'AUTHENTIK_POSTGRESQL__USER',
value: db.user,
},
{
name: 'AUTHENTIK_POSTGRESQL__PASSWORD',
value: db.password,
},
{
name: 'AUTHENTIK_REDIS__HOST',
value: 'redis.redis.svc.cluster.local',
},
// {
// name: 'AUTHENTIK_REDIS__PORT',
// value: ''
// }
],
ports: [
{
name: 'http',
containerPort: 9000,
protocol: 'TCP',
},
],
},
],
},
},
},
});
await k8sService.upsert(createManifest('server'));
await k8sService.upsert(createManifest('worker'));
await k8sService.upsert({
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'authentik',
namespace,
labels: {
'app.kubernetes.io/name': 'authentik-server',
},
},
spec: {
type: 'ClusterIP',
ports: [
{
port: 9000,
targetPort: 9000,
protocol: 'TCP',
name: 'http',
},
],
selector: {
'app.kubernetes.io/name': 'authentik-server',
},
},
});
return {
url: '',
token: '',
};
};
export { setupAuthentik };

10
src/services/authentik/authentik.types.ts
View File

@@ -1,5 +1,13 @@
import type { ClientTypeEnum, SubModeEnum } from '@goauthentik/api';
type AuthentikServerInfo = {
url: {
internal: string;
external: string;
};
token: string;
};
type UpsertClientRequest = {
name: string;
secret: string;
@@ -26,4 +34,4 @@ type UpsertGroupRequest = {
attributes?: Record<string, string[]>;
};
export type { UpsertClientRequest, UpsertGroupRequest };
export type { AuthentikServerInfo, UpsertClientRequest, UpsertGroupRequest };

19
src/services/k8s.ts
View File

@@ -134,6 +134,25 @@ class K8sService {
});
}
};
public getSecret = async <T extends Record<string, string>>(name: string, namespace?: string) => {
const current = await this.get<ExpectedAny>({
apiVersion: 'v1',
kind: 'Secret',
name,
namespace,
});
if (!current) {
return undefined;
}
const { data } = current.manifest || {};
const decodedData = Object.fromEntries(
Object.entries(data).map(([key, value]) => [key, Buffer.from(String(value), 'base64').toString('utf-8')]),
);
return decodedData as T;
};
}
export { K8sService };

4
src/services/k8s/k8s.manifest.ts
View File

@@ -60,6 +60,10 @@ class Manifest<TSpec> {
this.#options.manifest = obj;
}
public get dependencyId() {
return `${this.metadata.uid}-${this.metadata.generation}`;
}
public get kind(): string {
return this.#options.manifest.kind;
}

9
src/services/log/log.ts
View File

@@ -12,6 +12,15 @@ class LogService {
};
public error = (message: string, data?: Record<string, unknown>, root?: unknown) => {
if (root instanceof AggregateError) {
for (const error of root.errors) {
if (error instanceof Error) {
console.error(error.stack);
} else {
console.error(error);
}
}
}
if (root instanceof Error) {
console.log(root.stack);
}