From 899be7c64f82e2d7fc5f98026819c9dca95bee05 Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Fri, 6 Oct 2023 20:40:53 +0000
Subject: [PATCH] Adding authentik.

---
 .../authentik/app/externalsecret.yaml         |  34 ++++++
 .../security/authentik/app/helmrelease.yaml   | 102 ++++++++++++++++++
 .../security/authentik/app/kustomization.yaml |  12 +++
 .../authentik/app/postgresCluster.yaml        |  52 +++++++++
 kubernetes/apps/security/authentik/ks.yaml    |  35 ++++++
 .../authentik/redis/externalsecret.yaml       |  24 +++++
 .../security/authentik/redis/helmrelease.yaml |  61 +++++++++++
 .../authentik/redis/kustomization.yaml        |  11 ++
 kubernetes/apps/security/kustomization.yaml   |   1 +
 .../flux/repositories/helm/authentik.yaml     |  10 ++
 .../flux/repositories/helm/kustomization.yaml |   1 +
 11 files changed, 343 insertions(+)
 create mode 100644 kubernetes/apps/security/authentik/app/externalsecret.yaml
 create mode 100644 kubernetes/apps/security/authentik/app/helmrelease.yaml
 create mode 100644 kubernetes/apps/security/authentik/app/kustomization.yaml
 create mode 100644 kubernetes/apps/security/authentik/app/postgresCluster.yaml
 create mode 100644 kubernetes/apps/security/authentik/ks.yaml
 create mode 100644 kubernetes/apps/security/authentik/redis/externalsecret.yaml
 create mode 100644 kubernetes/apps/security/authentik/redis/helmrelease.yaml
 create mode 100644 kubernetes/apps/security/authentik/redis/kustomization.yaml
 create mode 100644 kubernetes/flux/repositories/helm/authentik.yaml

diff --git a/kubernetes/apps/security/authentik/app/externalsecret.yaml b/kubernetes/apps/security/authentik/app/externalsecret.yaml
new file mode 100644
index 0000000..161e8a0
--- /dev/null
+++ b/kubernetes/apps/security/authentik/app/externalsecret.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik
+  namespace: security
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: authentik-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        authentik_secret_key: "{{ .authentik_secret_key }}"
+        authentik_email_host: "{{ .authentik_email_host }}"
+        authentik_email_username: "{{ .authentik_email_username }}"
+        authentik_email_password: "{{ .mailgun_authentik_smtp_password }}"
+        authentik_email_from: "{{ .authentik_email_from }}"
+  dataFrom:
+    - extract:
+        key: Authentik
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "authentik_$1"
+    - extract:
+        key: mailgun
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "mailgun_$1"
diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml
new file mode 100644
index 0000000..2a4617e
--- /dev/null
+++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml
@@ -0,0 +1,102 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: security
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2023.8.3
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  values:
+    annotations:
+      secret.reloader.stakater.com/reload: authentik-secret,authentik-pguser-authentik,authentik-redis-secret
+
+    authentik:
+      log_level: info
+      email:
+        port: 587
+        use_tls: true
+      error_reporting:
+        enabled: false
+        send_pii: false
+      redis:
+        host: "authentik-redis.security.svc.cluster.local"
+        password: ""
+
+    envValueFrom:
+      AUTHENTIK_SECRET_KEY:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_secret_key
+      AUTHENTIK_EMAIL__HOST:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_host
+      AUTHENTIK_EMAIL__USERNAME:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_username
+      AUTHENTIK_EMAIL__PASSWORD:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_password
+      AUTHENTIK_EMAIL__FROM:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_from
+      AUTHENTIK_POSTGRESQL__HOST:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: host
+      AUTHENTIK_POSTGRESQL__NAME:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: dbname
+      AUTHENTIK_POSTGRESQL__USER:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: user
+      AUTHENTIK_POSTGRESQL__PASSWORD:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: password
+      AUTHENTIK_REDIS__PASSWORD:
+        secretKeyRef:
+          name: authentik-redis-secret
+          key: AUTHENTIK_REDIS_PASSWORD
+
+    ingress:
+      enabled: true
+      ingressClassName: nginx
+      annotations:
+        external-dns.alpha.kubernetes.io/target: ingress.hsn.dev
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+      hosts:
+        - host: &host authentik.hsn.dev
+          paths:
+            - path: /
+      tls:
+        - hosts:
+            - *host
+
+    postgresql:
+      enabled: false
+
+    prometheus:
+      rules:
+        create: true
+      serviceMonitor:
+        create: true
+
+    redis:
+      enabled: false
diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml
new file mode 100644
index 0000000..f910283
--- /dev/null
+++ b/kubernetes/apps/security/authentik/app/kustomization.yaml
@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: security
+resources:
+  - ./externalsecret.yaml
+  - ./postgresCluster.yaml
+
+commonLabels:
+  app.kubernetes.io/name: authentik
+  app.kubernetes.io/instance: authentik
diff --git a/kubernetes/apps/security/authentik/app/postgresCluster.yaml b/kubernetes/apps/security/authentik/app/postgresCluster.yaml
new file mode 100644
index 0000000..8c816cd
--- /dev/null
+++ b/kubernetes/apps/security/authentik/app/postgresCluster.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: authentik
+  namespace: security
+spec:
+  postgresVersion: 15
+  patroni:
+    dynamicConfiguration:
+      synchronous_mode: true
+      postgresql:
+        synchronous_commit: "on"
+  instances:
+    - name: postgres
+      replicas: 2
+      dataVolumeClaimSpec:
+        storageClassName: ceph-block
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 5Gi
+  users:
+    - name: authentik
+      databases:
+        - authentik
+      options: "SUPERUSER"
+  backups:
+    pgbackrest:
+      configuration:
+        - secret:
+            name: pgo-s3-creds
+      global:
+        archive-push-queue-max: 4GiB
+        repo1-retention-full: "14"
+        repo1-retention-full-type: time
+        repo1-path: /authentik/repo1
+        repo1-s3-uri-style: path
+      manual:
+        repoName: repo1
+        options:
+          - --type=full
+      repos:
+        - name: repo1
+          schedules:
+            full: "0 1 * * 0"
+            differential: "0 1 * * 1-6"
+          s3:
+            bucket: "crunchy-postgres"
+            endpoint: "erebor.hsn.dev"
+            region: "us-east-1"
diff --git a/kubernetes/apps/security/authentik/ks.yaml b/kubernetes/apps/security/authentik/ks.yaml
new file mode 100644
index 0000000..5726a22
--- /dev/null
+++ b/kubernetes/apps/security/authentik/ks.yaml
@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-authentik-redis
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: "./kubernetes/apps/security/authentik/redis"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: valinor
+  wait: true
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-authentik
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: "./kubernetes/apps/security/authentik/app"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: valinor
+  wait: true
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
+    - name: cluster-apps-authentik-redis
diff --git a/kubernetes/apps/security/authentik/redis/externalsecret.yaml b/kubernetes/apps/security/authentik/redis/externalsecret.yaml
new file mode 100644
index 0000000..2d9e48a
--- /dev/null
+++ b/kubernetes/apps/security/authentik/redis/externalsecret.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-redis
+  namespace: security
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: authentik-redis-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        AUTHENTIK_REDIS_PASSWORD: "{{ .authentik_redis_password }}"
+  dataFrom:
+    - extract:
+        key: Authentik
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "authentik_$1"
diff --git a/kubernetes/apps/security/authentik/redis/helmrelease.yaml b/kubernetes/apps/security/authentik/redis/helmrelease.yaml
new file mode 100644
index 0000000..95a9c2f
--- /dev/null
+++ b/kubernetes/apps/security/authentik/redis/helmrelease.yaml
@@ -0,0 +1,61 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik-redis
+  namespace: security
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.2
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+
+  values:
+    controllers:
+      main:
+        annotations:
+          secret.reloader.stakater.com/reload: authentik-redis-secret
+
+        pod:
+          automountServiceAccountToken: false
+
+        containers:
+          main:
+            image:
+              repository: public.ecr.aws/docker/library/redis
+              tag: 7.2.1
+            command:
+              - sh
+            args:
+              - -c
+              - >-
+                redis-server --requirepass $REDIS_PASSWORD
+            env:
+              REDIS_PORT: &port 6379
+              REDIS_PASSWORD:
+                valueFrom:
+                  secretKeyRef:
+                    name: authentik-redis-secret
+                    key: AUTHENTIK_REDIS_PASSWORD
+            resources:
+              requests:
+                cpu: 5m
+                memory: 128M
+              limits:
+                memory: 256M
+
+    service:
+      main:
+        ports:
+          http:
+            enabled: false
+          redis:
+            enabled: true
+            port: *port
diff --git a/kubernetes/apps/security/authentik/redis/kustomization.yaml b/kubernetes/apps/security/authentik/redis/kustomization.yaml
new file mode 100644
index 0000000..d23c2e8
--- /dev/null
+++ b/kubernetes/apps/security/authentik/redis/kustomization.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: security
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+commonLabels:
+  app.kubernetes.io/name: authentik-redis
+  app.kubernetes.io/instance: authentik
diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml
index 3e81f8b..137258f 100644
--- a/kubernetes/apps/security/kustomization.yaml
+++ b/kubernetes/apps/security/kustomization.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
diff --git a/kubernetes/flux/repositories/helm/authentik.yaml b/kubernetes/flux/repositories/helm/authentik.yaml
new file mode 100644
index 0000000..caa4a7b
--- /dev/null
+++ b/kubernetes/flux/repositories/helm/authentik.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.goauthentik.io
diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml
index 30d3e6b..de75772 100644
--- a/kubernetes/flux/repositories/helm/kustomization.yaml
+++ b/kubernetes/flux/repositories/helm/kustomization.yaml
@@ -3,6 +3,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+ - authentik.yaml
  - bitnami.yaml
  - bjw-s.yaml
  - cilium.yaml