From 12ce71571091187105a0e4ea4f427919cb97fc22 Mon Sep 17 00:00:00 2001 From: Tyler Perkins Date: Fri, 3 May 2024 22:26:04 -0400 Subject: [PATCH] Add authentik --- authentik/helmrelease-authentik.yaml | 285 +++++++++++++++++++++++++++ authentik/sealed-secret.yaml | 16 ++ 2 files changed, 301 insertions(+) create mode 100644 authentik/helmrelease-authentik.yaml create mode 100644 authentik/sealed-secret.yaml diff --git a/authentik/helmrelease-authentik.yaml b/authentik/helmrelease-authentik.yaml new file mode 100644 index 0000000..822fb2e --- /dev/null +++ b/authentik/helmrelease-authentik.yaml @@ -0,0 +1,285 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: authentik + namespace: authentik-ns + annotations: + force-recreate: true +spec: + chart: + spec: + chart: authentik + sourceRef: + kind: HelmRepository + name: authentik + namespace: flux-system + interval: 15m0s + timeout: 5m + releaseName: authentik + values: + # -- Server replicas + replicas: 1 + # -- Custom priority class for different treatment by the scheduler + priorityClassName: + # -- server securityContext + securityContext: {} + # -- server containerSecurityContext + containerSecurityContext: {} + + worker: + # -- worker replicas + replicas: 1 + # -- Custom priority class for different treatment by the scheduler + priorityClassName: + # -- worker securityContext + securityContext: {} + # -- server containerSecurityContext + containerSecurityContext: {} + env: + - name: AUTHENTIK_REDIS__DB + value: "1" + + image: + repository: ghcr.io/goauthentik/server + tag: 2024.2.2 + #tag: latest + # -- optional container image digest + digest: "" + pullPolicy: IfNotPresent + pullSecrets: [] + + # -- Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used + initContainers: {} + + # -- Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used. + additionalContainers: {} + + ingress: + enabled: false + ingressClassName: "" + annotations: {} + labels: {} + hosts: + - host: authentik.domain.tld + paths: + - path: "/" + pathType: Prefix + tls: [] + + # -- Annotations to add to the server and worker deployments + annotations: {} + + # -- Annotations to add to the server and worker pods + podAnnotations: {} + + authentik: + # -- Log level for server and worker + log_level: info + # -- Secret key used for cookie singing and unique user IDs, + # don't change this after the first install + #secret_key: "" + # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + email: + # -- SMTP Server emails are sent from, fully optional + host: "" + port: 587 + # -- SMTP credentials, when left empty, not authentication will be done + username: "" + # -- SMTP credentials, when left empty, not authentication will be done + password: "" + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_tls: false + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_ssl: false + # -- Connection timeout + timeout: 30 + # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " + from: "" + outposts: + # -- Template used for managed outposts. The following placeholders can be used + # %(type)s - the type of the outpost + # %(version)s - version of your authentik install + # %(build_hash)s - only for beta versions, the build hash of the image + container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s + error_reporting: + # -- This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + enabled: false + # -- This is a string that is sent to sentry with your error reports + environment: "k8s" + # -- Send PII (Personally identifiable information) data to sentry + send_pii: false + postgresql: + # -- set the postgresql hostname to talk to + # if unset and .Values.postgresql.enabled == true, will generate the default + # @default -- `{{ .Release.Name }}-postgresql` + host: "postgresql.postgresql-system.svc.cluster.local" + # -- postgresql Database name + # @default -- `authentik` + name: "authentik" + # -- postgresql Username + # @default -- `authentik` + user: "authentik" + #password: "" + port: 5432 + redis: + # -- set the redis hostname to talk to + # @default -- `{{ .Release.Name }}-redis-master` + host: "redis-master.redis-system.svc.cluster.local" + #password: "" + + # -- List of config maps to mount blueprints from. Only keys in the + # configmap ending with ".yaml" wil be discovered and applied + blueprints: [] + + # -- see configuration options at https://goauthentik.io/docs/installation/configuration/ + env: + - name: AUTHENTIK_REDIS__DB + value: "1" + # AUTHENTIK_VAR_NAME: VALUE + + envFrom: [] + # - configMapRef: + # name: special-config + + envValueFrom: + AUTHENTIK_SECRET_KEY: + secretKeyRef: + name: authentik-secret + key: secret-key + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + name: authentik-secret + key: postgres-password + AUTHENTIK_REDIS__PASSWORD: + secretKeyRef: + name: authentik-secret + key: redis-password + + service: + # -- Service that is created to access authentik + enabled: true + type: LoadBalancer + port: 80 + name: http + protocol: TCP + labels: {} + annotations: {} + + volumes: [] + + volumeMounts: [] + + # -- affinity applied to the deployments + affinity: {} + + # -- tolerations applied to the deployments + tolerations: [] + + # -- nodeSelector applied to the deployments + nodeSelector: {} + + resources: + server: {} + worker: {} + + autoscaling: + server: + # -- Create a HPA for the server deployment + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + worker: + # -- Create a HPA for the worker deployment + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + + livenessProbe: + # -- enables or disables the livenessProbe + enabled: true + httpGet: + # -- liveness probe url path + path: /-/health/live/ + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + + startupProbe: + # -- enables or disables the livenessProbe + enabled: true + httpGet: + # -- liveness probe url path + path: /-/health/live/ + port: http + failureThreshold: 60 + periodSeconds: 5 + + readinessProbe: + enabled: true + httpGet: + path: /-/health/ready/ + port: http + periodSeconds: 10 + + serviceAccount: + # -- Service account is needed for managed outposts + create: true + annotations: {} + serviceAccountSecret: + # -- As we use the authentik-remote-cluster chart as subchart, and that chart + # creates a service account secret by default which we don't need here, disable its creation + enabled: false + fullnameOverride: authentik + nameOverride: authentik + + prometheus: + serviceMonitor: + create: false + interval: 30s + scrapeTimeout: 3s + # -- labels additional on ServiceMonitor + labels: {} + rules: + create: false + # -- labels additional on PrometheusRule + labels: {} + + geoip: + # -- optional GeoIP, deploys a cronjob to download the maxmind database + enabled: false + # -- sign up under https://www.maxmind.com/en/geolite2/signup + accountId: "" + # -- sign up under https://www.maxmind.com/en/geolite2/signup + licenseKey: "" + editionIds: "GeoLite2-City" + image: maxmindinc/geoipupdate:v4.8 + # -- number of hours between update runs + updateInterval: 8 + # -- server containerSecurityContext + containerSecurityContext: {} + postgresql: + # -- enable the bundled bitnami postgresql chart + enabled: false + postgresqlMaxConnections: 500 + postgresqlUsername: "authentik" + # postgresqlPassword: "" + postgresqlDatabase: "authentik" + # persistence: + # enabled: true + # storageClass: + # accessModes: + # - ReadWriteOnce + image: + tag: 15.4.0-debian-11-r0 + redis: + # -- enable the bundled bitnami redis chart + enabled: false + architecture: standalone + auth: + enabled: false + image: + tag: 6.2.10-debian-11-r13 diff --git a/authentik/sealed-secret.yaml b/authentik/sealed-secret.yaml new file mode 100644 index 0000000..812e47b --- /dev/null +++ b/authentik/sealed-secret.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: authentik-secret + namespace: authentik-ns +spec: + encryptedData: + postgres-password: AgBigFPSosBY6PGUxR4zdIntM+oGMyaDY9mHZBwL5xbjEEvmzNKCuCfQFuiE07WqV3fjWEp6D3o23fIMomPC3SNLWySfti8o5pyBrPGDZLR1dVYWLmkyMCj0pzbDmPgAArBuzGmQG6P+Kn4lqlkSU6F50ev/W8yHUPkrlp+iJsGM9wYNlboaZmDMowIK5ny8sQ5vIb+QakS3ybRa3DfX/T3yNvuhOeCt+367/3oV0yNmCEBK4qKpTsAkWctxXooX1wcAkOwMesqfE42I5Mt+s/UnbU5fXJdzM0YI7WZreEy5oaG1shDxp1PhXoc12yCt5KobTj0xlttUVFVb8IaOY7r4oSI74vrL8KGuZdny0oeWvVbiwA/SvOt7S05RdryYWf66jN71/Aku5LnKJwRoa7veGeX9S5pUe1wZyVSDN6trkJcG5ZJRmEerr4MOZ4YX9cB2FktEmd+estjIlm/UhEIRN8Qv4qd54t6j2Ajhk6EJ3Ky6mI9xiun+0ti9880rIHQiW5MpiZVB+nQlAosTVQu4wRjdnP6Z0ndP83e2rPkHJ/jF2iawXOBoS0Eh11UaXvRQyNQOt3ReIba7E0aSbynpULViOg/lVNLA2qgyp+37Veb44Mi2k7sHg7I8e6MOMVjBhfmv3HvMpdHHBIHSq2vaDlF/0i5o5OT0F1O+06OngfQAaQQc1SdpLeoPKget5fbNF9zgmfKxPodjayq+h6n3vm5QOc4TagtcG1PV38LsiQ== + redis-password: AgCWDT6n+wmF9+Qk4+bu1byc7TFmRwPGqrhBIdVvZrTMRh6jt43E8urutTAlqKO6JPbRw+gw7zA40uOOHYzU3UaIXdAueQtCRMhHAzKWMwvTuzKGqLmmKcxVF452wilyhMjLBgRuBvX43VK4kynIthM3LZmw9a/HAlbQqn624N3wvdOYXyrWG0YKisXJunEFPgQyygWozdFD/N+b2loBq5YvH3mLuOuJDcuAC+Ti7URRbHigZXOhpZK6ilycAcJxJlOE9FVDRXMYSophjDWtD/Wb7WNLU7iakdXjNMFNVlE89mzrLxOskI918l6hrMG+Tk9FrhwKZx9ZuVwoUOdLBhF7I0jjYWKnJ1gEIMKXNBcrQWcnqX392VTu4RG0YNIIzasYkJ4/i3bjDnIH9zpSnRn6VSL2ZRhikJBOGJRXlXamd93XcCC+wg7gLu9XGi6g7ddC9UksxFzfIoMvj6aZ5EzERwJ7Td/qH1mWcfm5iesXKP1Y7PUSElIXIVmx9ifLgzIfbreb5VJDj2v+gTD44zxy+zHhSgdyefR2FcXT2eZv9CFO/VS8WB/F8+edJai0wHmJv0ooYVNS0PtIkyD8DEUC3Egt97SmWlQlEn1rfX1hj7jpN7HTpW19l9kV3r9n84ZzVJf62qybHElKOQWoqdz2Xxv6gPannZ8XQbk3nR0dG99jrUhvTpqjLFaWV+27PE0bRuV6w1G5Zm7X6Jdr/y3p8UvH2UonA2/8xjPANci/tA== + secret-key: AgBGLb8gPEET4udFwIMlgqWz5nIvu0/Tq6AhkCvxYTF4z2Gl4I7uOA4QtsnqDfOeQXJStpJ02ndc+q5l1uoP+hVgwhX1yWdeAtlQgubCpGraCQqofqVrwQwt9DoZqre+8rCp3llEugTP72Vekx9s9/8nDs+JqfBtfgLSdYqaJDO7fd3P4DDvA+DPhRTuT8j1YkX9mejxaWxd9lDss2OXWgZ/HDvGrm61FS3ByVqAo0uuayBcC8TtVrcjA6o2bfCFzz7g1uwzDC10bE7RNuJzpErulrOv/QzgxB/yTmQ4JlJmbgonAC3ZUBBc5hAl7m7hKuq6CFyHD1kZCWJ/cZkg9AagI0u9f96+y5kYh+KZK8/WuPHF3LhM9dam9KYKVJRqWE4nq5/QYcpbkQtKBqKlGPZZCyEmH/ylL6r3djMHNjKTpdCwlMqNFetDPLDMNFB1i2Nqg7PAzqOE3Dq5AHShSBG//losKiTfoNF3uYwbrA3cQhxCOAM/1EiLEvz1KerHaJrlcV5Y32ZaOj6P4aQeBAzEpmS8sRr0yooYmA1iJce+wYMsvI1VlNKP4HU+wLm5xKNca1SRvZaOmz1RUp3l+Q+jckhHmRFubLOR6RpmdiGtTAyvjfMRkRtzDfnyu+xGvCqlontPIPWh7yl8jsqrjhr5/tXVtSs+yZhdfn1M7oiDbv7xa4o2jAxt+MpP1XtMaoH/Rnt3x2JprDrSU+1YICE9Ibzo6xjJYFs5I/fM7auUvF3cmX40zafRHw5DYehWCBU3mA== + template: + metadata: + creationTimestamp: null + name: authentik-secret + namespace: authentik-ns