Adding authentik.

This commit is contained in:
Joseph Hanson 2023-10-06 20:40:53 +00:00
parent 03619b36bd
commit 899be7c64f
11 changed files with 343 additions and 0 deletions

View file

@ -0,0 +1,34 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik
namespace: security
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: authentik-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
authentik_secret_key: "{{ .authentik_secret_key }}"
authentik_email_host: "{{ .authentik_email_host }}"
authentik_email_username: "{{ .authentik_email_username }}"
authentik_email_password: "{{ .mailgun_authentik_smtp_password }}"
authentik_email_from: "{{ .authentik_email_from }}"
dataFrom:
- extract:
key: Authentik
rewrite:
- regexp:
source: "(.*)"
target: "authentik_$1"
- extract:
key: mailgun
rewrite:
- regexp:
source: "(.*)"
target: "mailgun_$1"

View file

@ -0,0 +1,102 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authentik
namespace: security
spec:
interval: 30m
chart:
spec:
chart: authentik
version: 2023.8.3
interval: 30m
sourceRef:
kind: HelmRepository
name: authentik
namespace: flux-system
values:
annotations:
secret.reloader.stakater.com/reload: authentik-secret,authentik-pguser-authentik,authentik-redis-secret
authentik:
log_level: info
email:
port: 587
use_tls: true
error_reporting:
enabled: false
send_pii: false
redis:
host: "authentik-redis.security.svc.cluster.local"
password: ""
envValueFrom:
AUTHENTIK_SECRET_KEY:
secretKeyRef:
name: authentik-secret
key: authentik_secret_key
AUTHENTIK_EMAIL__HOST:
secretKeyRef:
name: authentik-secret
key: authentik_email_host
AUTHENTIK_EMAIL__USERNAME:
secretKeyRef:
name: authentik-secret
key: authentik_email_username
AUTHENTIK_EMAIL__PASSWORD:
secretKeyRef:
name: authentik-secret
key: authentik_email_password
AUTHENTIK_EMAIL__FROM:
secretKeyRef:
name: authentik-secret
key: authentik_email_from
AUTHENTIK_POSTGRESQL__HOST:
secretKeyRef:
name: authentik-pguser-authentik
key: host
AUTHENTIK_POSTGRESQL__NAME:
secretKeyRef:
name: authentik-pguser-authentik
key: dbname
AUTHENTIK_POSTGRESQL__USER:
secretKeyRef:
name: authentik-pguser-authentik
key: user
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
name: authentik-pguser-authentik
key: password
AUTHENTIK_REDIS__PASSWORD:
secretKeyRef:
name: authentik-redis-secret
key: AUTHENTIK_REDIS_PASSWORD
ingress:
enabled: true
ingressClassName: nginx
annotations:
external-dns.alpha.kubernetes.io/target: ingress.hsn.dev
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: &host authentik.hsn.dev
paths:
- path: /
tls:
- hosts:
- *host
postgresql:
enabled: false
prometheus:
rules:
create: true
serviceMonitor:
create: true
redis:
enabled: false

View file

@ -0,0 +1,12 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: security
resources:
- ./externalsecret.yaml
- ./postgresCluster.yaml
commonLabels:
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: authentik

View file

@ -0,0 +1,52 @@
---
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: authentik
namespace: security
spec:
postgresVersion: 15
patroni:
dynamicConfiguration:
synchronous_mode: true
postgresql:
synchronous_commit: "on"
instances:
- name: postgres
replicas: 2
dataVolumeClaimSpec:
storageClassName: ceph-block
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
users:
- name: authentik
databases:
- authentik
options: "SUPERUSER"
backups:
pgbackrest:
configuration:
- secret:
name: pgo-s3-creds
global:
archive-push-queue-max: 4GiB
repo1-retention-full: "14"
repo1-retention-full-type: time
repo1-path: /authentik/repo1
repo1-s3-uri-style: path
manual:
repoName: repo1
options:
- --type=full
repos:
- name: repo1
schedules:
full: "0 1 * * 0"
differential: "0 1 * * 1-6"
s3:
bucket: "crunchy-postgres"
endpoint: "erebor.hsn.dev"
region: "us-east-1"

View file

@ -0,0 +1,35 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-authentik-redis
namespace: flux-system
spec:
interval: 10m
path: "./kubernetes/apps/security/authentik/redis"
prune: true
sourceRef:
kind: GitRepository
name: valinor
wait: true
dependsOn:
- name: cluster-apps-external-secrets-stores
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-authentik
namespace: flux-system
spec:
interval: 10m
path: "./kubernetes/apps/security/authentik/app"
prune: true
sourceRef:
kind: GitRepository
name: valinor
wait: true
dependsOn:
- name: cluster-apps-external-secrets-stores
- name: cluster-apps-authentik-redis

View file

@ -0,0 +1,24 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-redis
namespace: security
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: authentik-redis-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
AUTHENTIK_REDIS_PASSWORD: "{{ .authentik_redis_password }}"
dataFrom:
- extract:
key: Authentik
rewrite:
- regexp:
source: "(.*)"
target: "authentik_$1"

View file

@ -0,0 +1,61 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authentik-redis
namespace: security
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 2.0.2
interval: 30m
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
values:
controllers:
main:
annotations:
secret.reloader.stakater.com/reload: authentik-redis-secret
pod:
automountServiceAccountToken: false
containers:
main:
image:
repository: public.ecr.aws/docker/library/redis
tag: 7.2.1
command:
- sh
args:
- -c
- >-
redis-server --requirepass $REDIS_PASSWORD
env:
REDIS_PORT: &port 6379
REDIS_PASSWORD:
valueFrom:
secretKeyRef:
name: authentik-redis-secret
key: AUTHENTIK_REDIS_PASSWORD
resources:
requests:
cpu: 5m
memory: 128M
limits:
memory: 256M
service:
main:
ports:
http:
enabled: false
redis:
enabled: true
port: *port

View file

@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: security
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
commonLabels:
app.kubernetes.io/name: authentik-redis
app.kubernetes.io/instance: authentik

View file

@ -1,4 +1,5 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:

View file

@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: authentik
namespace: flux-system
spec:
interval: 1h
url: https://charts.goauthentik.io

View file

@ -3,6 +3,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- authentik.yaml
- bitnami.yaml
- bjw-s.yaml
- cilium.yaml