feat(auth): annuaire Authentik + portail consoles Guacamole (#76)

- k8s/apps/authentik : IdP OIDC (auth.lab.local), namespace auth —
  server + worker 2026.5.3, Redis in-cluster, PG sur storage-01, PVC media
- k8s/apps/guacamole : portail consoles SSH web s01/g01 (portail.lab.local) —
  guacd + webapp 1.6.0, SSO OIDC vers Authentik, Job initdb idempotent
- ansible : rôle console_user (user sans sudo pour les consoles, s01 + g01),
  bases PG authentik/guacamole, secrets vault (mdp PG + clé SSH console)
- doc : admin/k8s/auth-portal.md (déploiement, config initiale, pièges)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
ALI YESILKAYA 2026-07-06 21:24:46 +02:00 committed by GitHub
parent 09ca0be469
commit 87b786eb57
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
21 changed files with 775 additions and 64 deletions

View file

@ -0,0 +1,85 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: guacamole
namespace: auth
spec:
replicas: 1
selector:
matchLabels:
app: guacamole
template:
metadata:
labels:
app: guacamole
spec:
containers:
- name: guacamole
image: guacamole/guacamole:1.6.0
ports:
- containerPort: 8080
env:
- name: GUACD_HOSTNAME
value: "guacd"
- name: GUACD_PORT
value: "4822"
# Base sur storage-01 (schéma posé par le Job guacamole-initdb)
- name: POSTGRESQL_HOSTNAME
value: "192.168.10.1"
- name: POSTGRESQL_DATABASE
value: "guacamole"
- name: POSTGRESQL_USERNAME
value: "guacamole"
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: guacamole-secret
key: pg-password
# Les comptes venant d'Authentik sont créés automatiquement dans la base
# (sinon un utilisateur OIDC arrive sans aucune connexion assignable)
- name: POSTGRESQL_AUTO_CREATE_ACCOUNTS
value: "true"
# Servir sur / plutôt que /guacamole
- name: WEBAPP_CONTEXT
value: "ROOT"
# --- SSO OIDC → Authentik (app « guacamole » à créer dans l'UI Authentik) ---
# Endpoints navigateur : via l'IngressRoute ; JWKS : appel serveur→serveur,
# on passe par le Service interne pour ne pas dépendre du DNS lab.local des pods
- name: OPENID_AUTHORIZATION_ENDPOINT
value: "http://auth.lab.local/application/o/authorize/"
- name: OPENID_JWKS_ENDPOINT
value: "http://authentik.auth.svc.cluster.local:9000/application/o/guacamole/jwks/"
- name: OPENID_ISSUER
value: "http://auth.lab.local/application/o/guacamole/"
- name: OPENID_CLIENT_ID
value: "guacamole"
- name: OPENID_REDIRECT_URI
value: "http://portail.lab.local/"
- name: OPENID_USERNAME_CLAIM_TYPE
value: "preferred_username"
- name: OPENID_SCOPE
value: "openid profile email"
# L'extension base (autorisation/connexions) passe avant l'OIDC (authentification)
- name: EXTENSION_PRIORITY
value: "*, openid"
- name: TZ
value: "Europe/Paris"
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 1000m
memory: 1Gi
readinessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 30
periodSeconds: 15
livenessProbe:
httpGet:
path: /
port: 8080
initialDelaySeconds: 60
periodSeconds: 30