mconway/Homelab
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases Packages Wiki Activity Actions

Automate Authentik application/proxy configuration during deployment #62

New issue
Open
opened 2026-05-16 20:02:06 +00:00 by mconway · 0 comments
mconway commented 2026-05-16 20:02:06 +00:00
Owner
Copy link

Summary

Authentik applications, proxy providers, and outposts are currently configured manually through the Authentik web UI. These should be automated as part of the Ansible deployment to ensure reproducibility and avoid configuration drift.

What needs to be done

  • Use the Authentik API (or the goauthentik.io/terraform provider via an Ansible Terraform module) to automate creation of:
    • Providers – OAuth2, proxy, LDAP, SAML providers for each integrated service
    • Applications – one per integrated service, linked to their provider
    • Outposts – proxy and/or LDAP outposts that serve the configured providers

Approach options

  1. Extend k8s-authentik role – add a post-install task that calls the Authentik REST API via ansible.builtin.uri to configure applications/providers/outposts
  2. New k8s-authentik-config role – dedicated role that runs after k8s-authentik, keeping the Helm install and config separate
  3. Terraform – use the goauthentik/authentik Terraform provider and run via the existing Ansible Terraform module

Services to configure

All services currently protected by or integrated with Authentik (proxy authentication, OAuth2 SSO, LDAP) should have their configuration defined here rather than set up by hand.

Acceptance criteria

  • Running the Ansible playbook on a fresh cluster produces a fully configured Authentik instance (applications, providers, outposts)
  • No manual steps required in the Authentik UI after deployment
  • Configuration is idempotent (re-running does not duplicate resources)
## Summary Authentik applications, proxy providers, and outposts are currently configured manually through the Authentik web UI. These should be automated as part of the Ansible deployment to ensure reproducibility and avoid configuration drift. ## What needs to be done - Use the Authentik API (or the `goauthentik.io/terraform` provider via an Ansible Terraform module) to automate creation of: - **Providers** – OAuth2, proxy, LDAP, SAML providers for each integrated service - **Applications** – one per integrated service, linked to their provider - **Outposts** – proxy and/or LDAP outposts that serve the configured providers ## Approach options 1. **Extend `k8s-authentik` role** – add a post-install task that calls the Authentik REST API via `ansible.builtin.uri` to configure applications/providers/outposts 2. **New `k8s-authentik-config` role** – dedicated role that runs after `k8s-authentik`, keeping the Helm install and config separate 3. **Terraform** – use the `goauthentik/authentik` Terraform provider and run via the existing Ansible Terraform module ## Services to configure All services currently protected by or integrated with Authentik (proxy authentication, OAuth2 SSO, LDAP) should have their configuration defined here rather than set up by hand. ## Acceptance criteria - [ ] Running the Ansible playbook on a fresh cluster produces a fully configured Authentik instance (applications, providers, outposts) - [ ] No manual steps required in the Authentik UI after deployment - [ ] Configuration is idempotent (re-running does not duplicate resources)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
feat/test-harness-molecule-kind
auth_on_traccar_proxy
auroraboot
wazuh
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
mconway/Homelab#62
No description provided.