DEV Community

Cover image for Authentik Outpost with Remote RKE2/Kubernetes Cluster
ferociousbyte
ferociousbyte

Posted on

Authentik Outpost with Remote RKE2/Kubernetes Cluster

#kubernetes #rancher #authentik #rke2

πŸ“‹ Before we dive in:

There are two RKE2/Kubernetes clusters - production and development - both clusters are separately enrolled clusters.
Authentik is installed in the production cluster and automatically added the "local" cluster as "embedded kubernetes cluster" as outpost.

To use the authentik proxy forwarding feature for ingresses on the development cluster, we have to add the cluster as remote outpost to Authentik.

In this scenario we've the following params:

1️⃣ Install "authentik-remote-cluster"

First we have to add the authentik-remote-cluster Helm Chart to the development cluster.

helm repo add authentik https://charts.goauthentik.io
helm repo update
Enter fullscreen mode Exit fullscreen mode

And then install the authentik-remote-cluster via the Rancher UI or Helm CLI.

2️⃣ Generate Authentik configuration manifest

After successful installation, you'll get a script-snippet like this:
Script snippet

Copy the snippet and replace the line KUBE_API=... with

KUBE_API=https://my.remote-development.cluster:6443
Enter fullscreen mode Exit fullscreen mode

After executing the snippet, you should get something like this:

apiVersion: v1
kind: Config
clusters:
- name: dev-cluster
  cluster:
    certificate-authority-data: (hidden secret)
    server: https://my.remote-development.cluster:6443
contexts:
- name: dev-context
  context:
    cluster: dev-cluster
    namespace: authentik-remote
    user: dev-authentik-user
current-context: dev-context
users:
- name: dev-authentik-user
  user:
    token: (hidden secret)
Enter fullscreen mode Exit fullscreen mode

3️⃣ Adding the Outpost integration to Authentik

Now use this kubeconfig-snippet and add the Outpost integration to Authentik:

  1. Go to Authentik Admin -> System -> Outpost integrations and select "Create".
  2. Select "Kubernetes Service connection", choose a name and paste the kubeconfig snippet you got. (Don't enable Local .. cause it's Remote. 😏)

Selection menu of outpost integrations type

Window to set name and settings of the new Outpost integration

State list

4️⃣ Adding a new Outpost (with the new integration)

  1. To add an new Outpost with the newly created integrationen go to Authentik Admin -> Applications -> Outposts and select Create.
  2. Then choose an Outpost name, select the newly created integration.
  3. Expand Advanced settings and modify the configuration, especially the kubernetes_namespace should be "authentik-remote".

Rancher deployment list

If the settings were correct, you'll get a new deployment, service, secret and ingress in your remote cluster.

I've made this HowTo because of the waggy docs with using Remote Kubernetes Clusters in Authentik. πŸ˜’
In my case, it was many many trial and error. ⚠️
Hope I've someone save some time on this. 😁

Top comments (0)