homelab/operator
1
0
Fork 0
mirror of https://github.com/morten-olsen/homelab-operator.git synced 2026-02-08 01:36:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Morten Olsen
2025-08-01 07:52:09 +02:00
parent 5782d59f71
commit a25e0b9ffb
17 changed files with 880 additions and 280 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
src/services/authentik/authentik.service.ts
View File

@@ -1,34 +1,36 @@
import type { Services } from '../../utils/service.ts';
import { ConfigService } from '../config/config.ts';
import { createAuthentikClient, type AuthentikClient } from '../../clients/authentik/authentik.ts';
import type { UpsertClientRequest, UpsertGroupRequest } from './authentik.types.ts';
import { setupAuthentik } from './authentik.setup.ts';
const DEFAULT_AUTHORIZATION_FLOW = 'default-provider-authorization-implicit-consent';
const DEFAULT_INVALIDATION_FLOW = 'default-invalidation-flow';
const DEFAULT_SCOPES = ['openid', 'email', 'profile', 'offline_access'];
class AuthentikService {
#client: AuthentikClient;
#services: Services;
#init?: Promise<AuthentikClient>;
constructor(services: Services) {
const config = services.get(ConfigService);
this.#client = createAuthentikClient({
baseUrl: new URL('api/v3', config.authentik.url).toString(),
token: config.authentik.token,
});
this.#services = services;
}
public get url() {
const config = this.#services.get(ConfigService);
return config.authentik.url;
}
public getPublicUrl = async () => {
return '';
};
#getClient = () => {
if (!this.#init) {
this.#init = this.#create();
}
return this.#init;
};
#upsertApplication = async (request: UpsertClientRequest, provider: number, pk?: string) => {
const client = await this.#getClient();
if (!pk) {
return await this.#client.core.coreApplicationsCreate({
return await client.core.coreApplicationsCreate({
applicationRequest: {
name: request.name,
slug: request.name,
@@ -36,7 +38,7 @@ class AuthentikService {
},
});
}
return await this.#client.core.coreApplicationsUpdate({
return await client.core.coreApplicationsUpdate({
slug: request.name,
applicationRequest: {
name: request.name,
@@ -62,8 +64,10 @@ class AuthentikService {
.map((scope) => scopes.results.find((mapping) => mapping.scopeName === scope)?.pk)
.filter(Boolean) as string[];
const client = await this.#getClient();
if (!pk) {
return await this.#client.providers.providersOauth2Create({
return await client.providers.providersOauth2Create({
oAuth2ProviderRequest: {
name: request.name,
clientId: request.name,
@@ -80,7 +84,7 @@ class AuthentikService {
},
});
}
return await this.#client.providers.providersOauth2Update({
return await client.providers.providersOauth2Update({
id: pk,
oAuth2ProviderRequest: {
name: request.name,
@@ -99,20 +103,31 @@ class AuthentikService {
});
};
#create = async () => {
const { url, token } = await setupAuthentik(this.#services);
return createAuthentikClient({
baseUrl: new URL('api/v3', url).toString(),
token: token,
});
};
public getGroupFromName = async (name: string) => {
const groups = await this.#client.core.coreGroupsList({
const client = await this.#getClient();
const groups = await client.core.coreGroupsList({
search: name,
});
return groups.results.find((group) => group.name === name);
};
public getScopePropertyMappings = async () => {
const mappings = await this.#client.propertymappings.propertymappingsProviderScopeList({});
const client = await this.#getClient();
const mappings = await client.propertymappings.propertymappingsProviderScopeList({});
return mappings;
};
public getApplicationFromSlug = async (slug: string) => {
const applications = await this.#client.core.coreApplicationsList({
const client = await this.#getClient();
const applications = await client.core.coreApplicationsList({
search: slug,
});
const application = applications.results.find((app) => app.slug === slug);
@@ -120,18 +135,21 @@ class AuthentikService {
};
public getProviderFromClientId = async (clientId: string) => {
const providers = await this.#client.providers.providersOauth2List({
const client = await this.#getClient();
const providers = await client.providers.providersOauth2List({
clientId,
});
return providers.results.find((provider) => provider.clientId === clientId);
};
public getFlows = async () => {
const flows = await this.#client.flows.flowsInstancesList();
const client = await this.#getClient();
const flows = await client.flows.flowsInstancesList();
return flows;
};
public upsertClient = async (request: UpsertClientRequest) => {
const url = await this.getPublicUrl();
try {
let provider = await this.getProviderFromClientId(request.name);
provider = await this.#upsertProvider(request, provider?.pk);
@@ -160,16 +178,13 @@ class AuthentikService {
provider: provider.pk,
},
urls: {
configuration: new URL(
`/application/o/${provider.name}/.well-known/openid-configuration`,
this.url,
).toString(),
configurationIssuer: new URL(`/application/o/${provider.name}/`, this.url).toString(),
authorization: new URL(`/application/o/${provider.name}/authorize/`, this.url).toString(),
token: new URL(`/application/o/${provider.name}/token/`, this.url).toString(),
userinfo: new URL(`/application/o/${provider.name}/userinfo/`, this.url).toString(),
endSession: new URL(`/application/o/${provider.name}/end-session/`, this.url).toString(),
jwks: new URL(`/application/o/${provider.name}/jwks/`, this.url).toString(),
configuration: new URL(`/application/o/${provider.name}/.well-known/openid-configuration`, url).toString(),
configurationIssuer: new URL(`/application/o/${provider.name}/`, url).toString(),
authorization: new URL(`/application/o/${provider.name}/authorize/`, url).toString(),
token: new URL(`/application/o/${provider.name}/token/`, url).toString(),
userinfo: new URL(`/application/o/${provider.name}/userinfo/`, url).toString(),
endSession: new URL(`/application/o/${provider.name}/end-session/`, url).toString(),
jwks: new URL(`/application/o/${provider.name}/jwks/`, url).toString(),
},
};
return { provider, application, config };
@@ -183,26 +198,28 @@ class AuthentikService {
public deleteClient = async (name: string) => {
const provider = await this.getProviderFromClientId(name);
const client = await this.#getClient();
if (provider) {
await this.#client.providers.providersOauth2Destroy({ id: provider.pk });
await client.providers.providersOauth2Destroy({ id: provider.pk });
}
const application = await this.getApplicationFromSlug(name);
if (application) {
await this.#client.core.coreApplicationsDestroy({ slug: application.name });
await client.core.coreApplicationsDestroy({ slug: application.name });
}
};
public upsertGroup = async (request: UpsertGroupRequest) => {
const group = await this.getGroupFromName(request.name);
const client = await this.#getClient();
if (!group) {
await this.#client.core.coreGroupsCreate({
await client.core.coreGroupsCreate({
groupRequest: {
name: request.name,
attributes: request.attributes,
},
});
} else {
await this.#client.core.coreGroupsUpdate({
await client.core.coreGroupsUpdate({
groupUuid: group.pk,
groupRequest: {
name: request.name,
@@ -211,6 +228,10 @@ class AuthentikService {
});
}
};
public ready = async () => {
await this.#getClient();
};
}
export { AuthentikService };

135
src/services/authentik/authentik.setup.ts Normal file
View File

@@ -0,0 +1,135 @@
import { NAMESPACE } from '../../utils/consts.ts';
import type { Services } from '../../utils/service.ts';
import { K8sService } from '../k8s.ts';
import { PostgresService } from '../postgres/postgres.service.ts';
const SECRET = 'WkE/MDsSCe7TyIPtx/16/rwQ3XyyY9QsM450mXZklhR545PZPFoXcfrBhnxYB5jzlIwTmkg7Opgm0FDl'; // TODO: Generate and store
const setupAuthentik = async (services: Services) => {
const namespace = NAMESPACE;
const db = {
name: 'homelab_authentik',
user: 'homelab_authentik',
password: 'sdf908sad0sdf7g98',
};
const k8sService = services.get(K8sService);
const postgresService = services.get(PostgresService);
await postgresService.upsertRole({
name: db.user,
password: db.password,
});
await postgresService.upsertDatabase({
name: db.name,
owner: db.user,
});
const createManifest = (command: string) => ({
apiVersion: 'apps/v1',
kind: 'Deployment',
metadata: {
name: `authentik-${command}`,
namespace: namespace,
labels: {
'app.kubernetes.io/name': `authentik-${command}`,
'argocd.argoproj.io/instance': 'homelab',
},
},
spec: {
replicas: 1,
selector: {
matchLabels: {
'app.kubernetes.io/name': `authentik-${command}`,
},
},
template: {
metadata: {
labels: {
'app.kubernetes.io/name': `authentik-${command}`,
},
},
spec: {
containers: [
{
name: `authentik-${command}`,
image: 'ghcr.io/goauthentik/server:2025.6.4',
// imagePullPolicy: 'ifNot'
args: [command],
env: [
{ name: 'AUTHENTIK_SECRET_KEY', value: SECRET },
{ name: 'AUTHENTIK_POSTGRESQL__HOST', value: 'postgres-postgresql.postgres.svc.cluster.local' },
{
name: 'AUTHENTIK_POSTGRESQL__PORT',
value: '5432',
},
{
name: 'AUTHENTIK_POSTGRESQL__NAME',
value: db.name,
},
{
name: 'AUTHENTIK_POSTGRESQL__USER',
value: db.user,
},
{
name: 'AUTHENTIK_POSTGRESQL__PASSWORD',
value: db.password,
},
{
name: 'AUTHENTIK_REDIS__HOST',
value: 'redis.redis.svc.cluster.local',
},
// {
// name: 'AUTHENTIK_REDIS__PORT',
// value: ''
// }
],
ports: [
{
name: 'http',
containerPort: 9000,
protocol: 'TCP',
},
],
},
],
},
},
},
});
await k8sService.upsert(createManifest('server'));
await k8sService.upsert(createManifest('worker'));
await k8sService.upsert({
apiVersion: 'v1',
kind: 'Service',
metadata: {
name: 'authentik',
namespace,
labels: {
'app.kubernetes.io/name': 'authentik-server',
},
},
spec: {
type: 'ClusterIP',
ports: [
{
port: 9000,
targetPort: 9000,
protocol: 'TCP',
name: 'http',
},
],
selector: {
'app.kubernetes.io/name': 'authentik-server',
},
},
});
return {
url: '',
token: '',
};
};
export { setupAuthentik };

29
src/services/config/config.ts
View File

@@ -1,4 +1,22 @@
class ConfigService {
public get istio() {
const gateway = process.env.ISTIO_GATEWAY;
if (!gateway) {
throw new Error('ISTIO_GATEWAY must be set');
}
return {
gateway: process.env.ISTIO_GATEWAY,
};
}
public get certManager() {
const certManager = process.env.CERT_MANAGER;
if (!certManager) {
throw new Error('CERT_MANAGER must be set');
}
return certManager;
}
public get postgres() {
const host = process.env.POSTGRES_HOST;
const user = process.env.POSTGRES_USER;
@@ -11,17 +29,6 @@ class ConfigService {
return { host, user, password, port };
}
public get authentik() {
const url = process.env.AUTHENTIK_URL;
const token = process.env.AUTHENTIK_TOKEN;
if (!url || !token) {
throw new Error('AUTHENTIK_URL and AUTHENTIK_TOKEN must be set');
}
return { url, token };
}
}
export { ConfigService };

88
src/services/k8s.ts
View File

@@ -5,9 +5,16 @@ import {
CustomObjectsApi,
EventsV1Api,
KubernetesObjectApi,
ApiException,
PatchStrategy,
} from '@kubernetes/client-node';
import type { Services } from '../utils/service.ts';
import { Manifest } from './k8s/k8s.manifest.ts';
class K8sService {
#services: Services;
#kc: KubeConfig;
#k8sApi: CoreV1Api;
#k8sExtensionsApi: ApiextensionsV1Api;
@@ -15,7 +22,8 @@ class K8sService {
#k8sEventsApi: EventsV1Api;
#k8sObjectsApi: KubernetesObjectApi;
constructor() {
constructor(services: Services) {
this.#services = services;
this.#kc = new KubeConfig();
this.#kc.loadFromDefault();
this.#k8sApi = this.#kc.makeApiClient(CoreV1Api);
@@ -48,6 +56,84 @@ class K8sService {
public get objectsApi() {
return this.#k8sObjectsApi;
}
public exists = async (options: { apiVersion: string; kind: string; name: string; namespace?: string }) => {
try {
await this.objectsApi.read({
apiVersion: options.apiVersion,
kind: options.kind,
metadata: {
name: options.name,
namespace: options.namespace,
},
});
return true;
} catch (err) {
if (!(err instanceof ApiException && err.code === 404)) {
throw err;
}
return false;
}
};
public get = async <T>(options: { apiVersion: string; kind: string; name: string; namespace?: string }) => {
try {
const manifest = await this.objectsApi.read({
apiVersion: options.apiVersion,
kind: options.kind,
metadata: {
name: options.name,
namespace: options.namespace,
},
});
return new Manifest<T>({
manifest,
services: this.#services,
});
} catch (err) {
if (!(err instanceof ApiException && err.code === 404)) {
throw err;
}
return undefined;
}
};
public upsert = async (obj: ExpectedAny) => {
let current: unknown;
try {
current = await this.objectsApi.read({
apiVersion: obj.apiVersion,
kind: obj.kind,
metadata: {
name: obj.metadata.name,
namespace: obj.metadata.namespace,
},
});
} catch (error) {
if (!(error instanceof ApiException && error.code === 404)) {
throw error;
}
}
if (current) {
return new Manifest({
manifest: await this.objectsApi.patch(
obj,
undefined,
undefined,
undefined,
undefined,
PatchStrategy.MergePatch,
),
services: this.#services,
});
} else {
return new Manifest({
manifest: await this.objectsApi.create(obj),
services: this.#services,
});
}
};
}
export { K8sService };

179
src/services/k8s/k8s.manifest.ts Normal file
View File

@@ -0,0 +1,179 @@
import { ApiException, PatchStrategy, V1MicroTime } from '@kubernetes/client-node';
import type { Services } from '../../utils/service.ts';
import { K8sService } from '../k8s.ts';
import { GROUP } from '../../utils/consts.ts';
import { CustomResourceRegistry } from '../../custom-resource/custom-resource.registry.ts';
type ManifestOptions = {
manifest: ExpectedAny;
services: Services;
};
type ManifestMetadata = Record<string, string> & {
name: string;
namespace?: string;
labels?: Record<string, string>;
annotations?: Record<string, string>;
uid: string;
resourceVersion: string;
creationTimestamp: string;
generation: number;
};
type EventOptions = {
reason: string;
message: string;
action: string;
type: 'Normal' | 'Warning' | 'Error';
};
class Manifest<TSpec> {
#options: ManifestOptions;
constructor(options: ManifestOptions) {
this.#options = {
...options,
manifest: options.manifest,
};
}
public get objectRef() {
return {
apiVersion: this.apiVersion,
kind: this.kind,
name: this.metadata.name,
uid: this.metadata.uid,
namespace: this.metadata.namespace,
};
}
public get services(): Services {
return this.#options.services;
}
public get manifest() {
return this.#options.manifest;
}
protected set manifest(obj: ExpectedAny) {
this.#options.manifest = obj;
}
public get kind(): string {
return this.#options.manifest.kind;
}
public get apiVersion(): string {
return this.#options.manifest.apiVersion;
}
public get spec(): TSpec {
return this.#options.manifest.spec;
}
public get metadata(): ManifestMetadata {
return this.#options.manifest.metadata;
}
public isOwnerOf = (manifest: ExpectedAny) => {
const ownerRef = manifest?.metadata?.ownerReferences || [];
return ownerRef.some(
(ref: ExpectedAny) =>
ref.apiVersion === this.apiVersion &&
ref.kind === this.kind &&
ref.name === this.metadata.name &&
ref.uid === this.metadata.uid,
);
};
public addEvent = async (event: EventOptions) => {
const { manifest, services } = this.#options;
const k8sService = services.get(K8sService);
await k8sService.eventsApi.createNamespacedEvent({
namespace: manifest.metadata.namespace,
body: {
kind: 'Event',
metadata: {
name: `${manifest.metadata.name}-${Date.now()}-${Buffer.from(crypto.getRandomValues(new Uint8Array(8))).toString('hex')}`,
namespace: manifest.metadata.namespace,
},
eventTime: new V1MicroTime(),
note: event.message,
action: event.action,
reason: event.reason,
type: event.type,
reportingController: GROUP,
reportingInstance: manifest.metadata.name,
regarding: {
apiVersion: manifest.apiVersion,
resourceVersion: manifest.metadata.resourceVersion,
kind: manifest.kind,
name: manifest.metadata.name,
namespace: manifest.metadata.namespace,
uid: manifest.metadata.uid,
},
},
});
};
public patch = async (manifest: ExpectedAny) => {
const { services } = this.#options;
const k8sService = services.get(K8sService);
this.manifest = await k8sService.objectsApi.patch(
{
apiVersion: this.apiVersion,
kind: this.kind,
metadata: {
name: this.metadata.name,
namespace: this.metadata.namespace,
ownerReferences: this.metadata.ownerReferences,
...manifest.metadata,
labels: {
...this.metadata.labels,
...(manifest.metadata?.label || {}),
},
annotations: {
...this.metadata.annotations,
...(manifest.metadata?.annotations || {}),
},
},
spec: manifest.spec || this.spec,
},
undefined,
undefined,
undefined,
undefined,
PatchStrategy.MergePatch,
);
};
public update = async () => {
const { manifest, services } = this.#options;
const k8sService = services.get(K8sService);
const registry = services.get(CustomResourceRegistry);
const crd = registry.getByKind(manifest.kind);
if (!crd) {
throw new Error(`Custom resource ${manifest.kind} not found`);
}
try {
const resource = await k8sService.objectsApi.read({
apiVersion: this.apiVersion,
kind: this.kind,
metadata: {
name: this.metadata.name,
namespace: this.metadata.namespace,
},
});
this.#options.manifest = resource;
} catch (error) {
if (error instanceof ApiException && error.code === 404) {
return undefined;
}
throw error;
}
};
}
export { Manifest };

5
src/services/log/log.ts
View File

@@ -11,7 +11,10 @@ class LogService {
console.warn(message, data);
};
public error = (message: string, data?: Record<string, unknown>) => {
public error = (message: string, data?: Record<string, unknown>, root?: unknown) => {
if (root instanceof Error) {
console.log(root.stack);
}
console.error(message, data);
};
}

7
src/services/postgres/postgres.service.ts
View File

@@ -7,8 +7,10 @@ import type { PostgresDatabase, PostgresRole } from './postgres.types.ts';
class PostgresService {
#db: Knex;
#services: Services;
constructor(services: Services) {
this.#services = services;
const configService = services.get(ConfigService);
const config = configService.postgres;
this.#db = knex({
@@ -22,6 +24,11 @@ class PostgresService {
});
}
public get config() {
const configService = this.#services.get(ConfigService);
return configService.postgres;
}
public upsertRole = async (role: PostgresRole) => {
const existingRole = await this.#db.raw('SELECT 1 FROM pg_roles WHERE rolname = ?', [role.name]);