Adding authentik.

kubernetes/apps/security/authentik/app/externalsecret.yaml

@@ -0,0 +1,34 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik
+  namespace: security
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: authentik-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        authentik_secret_key: "{{ .authentik_secret_key }}"
+        authentik_email_host: "{{ .authentik_email_host }}"
+        authentik_email_username: "{{ .authentik_email_username }}"
+        authentik_email_password: "{{ .mailgun_authentik_smtp_password }}"
+        authentik_email_from: "{{ .authentik_email_from }}"
+  dataFrom:
+    - extract:
+        key: Authentik
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "authentik_$1"
+    - extract:
+        key: mailgun
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "mailgun_$1"

kubernetes/apps/security/authentik/app/helmrelease.yaml

@@ -0,0 +1,102 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: security
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2023.8.3
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  values:
+    annotations:
+      secret.reloader.stakater.com/reload: authentik-secret,authentik-pguser-authentik,authentik-redis-secret
+
+    authentik:
+      log_level: info
+      email:
+        port: 587
+        use_tls: true
+      error_reporting:
+        enabled: false
+        send_pii: false
+      redis:
+        host: "authentik-redis.security.svc.cluster.local"
+        password: ""
+
+    envValueFrom:
+      AUTHENTIK_SECRET_KEY:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_secret_key
+      AUTHENTIK_EMAIL__HOST:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_host
+      AUTHENTIK_EMAIL__USERNAME:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_username
+      AUTHENTIK_EMAIL__PASSWORD:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_password
+      AUTHENTIK_EMAIL__FROM:
+        secretKeyRef:
+          name: authentik-secret
+          key: authentik_email_from
+      AUTHENTIK_POSTGRESQL__HOST:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: host
+      AUTHENTIK_POSTGRESQL__NAME:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: dbname
+      AUTHENTIK_POSTGRESQL__USER:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: user
+      AUTHENTIK_POSTGRESQL__PASSWORD:
+        secretKeyRef:
+          name: authentik-pguser-authentik
+          key: password
+      AUTHENTIK_REDIS__PASSWORD:
+        secretKeyRef:
+          name: authentik-redis-secret
+          key: AUTHENTIK_REDIS_PASSWORD
+
+    ingress:
+      enabled: true
+      ingressClassName: nginx
+      annotations:
+        external-dns.alpha.kubernetes.io/target: ingress.hsn.dev
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+      hosts:
+        - host: &host authentik.hsn.dev
+          paths:
+            - path: /
+      tls:
+        - hosts:
+            - *host
+
+    postgresql:
+      enabled: false
+
+    prometheus:
+      rules:
+        create: true
+      serviceMonitor:
+        create: true
+
+    redis:
+      enabled: false

kubernetes/apps/security/authentik/app/kustomization.yaml

@@ -0,0 +1,12 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: security
+resources:
+  - ./externalsecret.yaml
+  - ./postgresCluster.yaml
+
+commonLabels:
+  app.kubernetes.io/name: authentik
+  app.kubernetes.io/instance: authentik

kubernetes/apps/security/authentik/app/postgresCluster.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: authentik
+  namespace: security
+spec:
+  postgresVersion: 15
+  patroni:
+    dynamicConfiguration:
+      synchronous_mode: true
+      postgresql:
+        synchronous_commit: "on"
+  instances:
+    - name: postgres
+      replicas: 2
+      dataVolumeClaimSpec:
+        storageClassName: ceph-block
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 5Gi
+  users:
+    - name: authentik
+      databases:
+        - authentik
+      options: "SUPERUSER"
+  backups:
+    pgbackrest:
+      configuration:
+        - secret:
+            name: pgo-s3-creds
+      global:
+        archive-push-queue-max: 4GiB
+        repo1-retention-full: "14"
+        repo1-retention-full-type: time
+        repo1-path: /authentik/repo1
+        repo1-s3-uri-style: path
+      manual:
+        repoName: repo1
+        options:
+          - --type=full
+      repos:
+        - name: repo1
+          schedules:
+            full: "0 1 * * 0"
+            differential: "0 1 * * 1-6"
+          s3:
+            bucket: "crunchy-postgres"
+            endpoint: "erebor.hsn.dev"
+            region: "us-east-1"

kubernetes/apps/security/authentik/ks.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-authentik-redis
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: "./kubernetes/apps/security/authentik/redis"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: valinor
+  wait: true
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-authentik
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: "./kubernetes/apps/security/authentik/app"
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: valinor
+  wait: true
+  dependsOn:
+    - name: cluster-apps-external-secrets-stores
+    - name: cluster-apps-authentik-redis

kubernetes/apps/security/authentik/redis/externalsecret.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-redis
+  namespace: security
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: authentik-redis-secret
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      data:
+        AUTHENTIK_REDIS_PASSWORD: "{{ .authentik_redis_password }}"
+  dataFrom:
+    - extract:
+        key: Authentik
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "authentik_$1"

kubernetes/apps/security/authentik/redis/helmrelease.yaml

@@ -0,0 +1,61 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik-redis
+  namespace: security
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.0.2
+      interval: 30m
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+
+  values:
+    controllers:
+      main:
+        annotations:
+          secret.reloader.stakater.com/reload: authentik-redis-secret
+
+        pod:
+          automountServiceAccountToken: false
+
+        containers:
+          main:
+            image:
+              repository: public.ecr.aws/docker/library/redis
+              tag: 7.2.1
+            command:
+              - sh
+            args:
+              - -c
+              - >-
+                redis-server --requirepass $REDIS_PASSWORD
+            env:
+              REDIS_PORT: &port 6379
+              REDIS_PASSWORD:
+                valueFrom:
+                  secretKeyRef:
+                    name: authentik-redis-secret
+                    key: AUTHENTIK_REDIS_PASSWORD
+            resources:
+              requests:
+                cpu: 5m
+                memory: 128M
+              limits:
+                memory: 256M
+
+    service:
+      main:
+        ports:
+          http:
+            enabled: false
+          redis:
+            enabled: true
+            port: *port

kubernetes/apps/security/authentik/redis/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: security
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+commonLabels:
+  app.kubernetes.io/name: authentik-redis
+  app.kubernetes.io/instance: authentik

kubernetes/apps/security/kustomization.yaml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:

kubernetes/flux/repositories/helm/authentik.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.goauthentik.io

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -3,6 +3,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+ - authentik.yaml
  - bitnami.yaml
  - bjw-s.yaml
  - cilium.yaml