diff --git a/cluster/authentik/helmrelease-authentik.yaml b/cluster/authentik/helmrelease-authentik.yaml deleted file mode 100644 index 1b5c0ee..0000000 --- a/cluster/authentik/helmrelease-authentik.yaml +++ /dev/null @@ -1,1029 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: authentik - namespace: authentik - annotations: - force-recreate: true -spec: - chart: - spec: - chart: authentik - sourceRef: - kind: HelmRepository - name: authentik - namespace: flux-system - interval: 15m0s - timeout: 5m - releaseName: authentik - values: - # -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible - nameOverride: "" - # -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible - fullnameOverride: "" - # -- Override the Kubernetes version, which is used to evaluate certain manifests - kubeVersionOverride: "" - - - ## Globally shared configuration for authentik components. - global: - # -- Provide a name in place of `authentik` - nameOverride: "" - # -- String to fully override `"authentik.fullname"` - fullnameOverride: "" - # -- Common labels for all resources. - additionalLabels: {} - # app: authentik - - # Number of old deployment ReplicaSets to retain. The rest will be garbage collected. - revisionHistoryLimit: 3 - - # Default image used by all authentik components. For GeoIP configuration, see the geoip values below. - image: - # -- If defined, a repository applied to all authentik deployments - repository: ghcr.io/goauthentik/server - # -- Overrides the global authentik whose default is the chart appVersion - tag: "" - # -- If defined, an image digest applied to all authentik deployments - digest: "" - # -- If defined, an imagePullPolicy applied to all authentik deployments - pullPolicy: IfNotPresent - - # -- Secrets with credentials to pull images from a private registry - imagePullSecrets: [] - - # -- Annotations for all deployed Deployments - deploymentAnnotations: {} - - # -- Annotations for all deployed pods - podAnnotations: {} - - # -- Labels for all deployed pods - podLabels: {} - - # -- Add Prometheus scrape annotations to all metrics services. This can be used as an alternative to the ServiceMonitors. - addPrometheusAnnotations: false - - # -- Toggle and define pod-level security context. - # @default -- `{}` (See [values.yaml]) - securityContext: {} - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - - # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files - hostAliases: [] - # - ip: 10.20.30.40 - # hostnames: - # - my.hostname - - # -- Default priority class for all components - priorityClassName: "" - - # -- Default node selector for all components - nodeSelector: {} - - # -- Default tolerations for all components - tolerations: [] - - # Default affinity preset for all components - affinity: - # -- Default pod anti-affinity rules. Either: `none`, `soft` or `hard` - podAntiAffinity: soft - # Node affinity rules - nodeAffinity: - # -- Default node affinity rules. Either `none`, `soft` or `hard` - type: hard - # -- Default match expressions for node affinity - matchExpressions: [] - # - key: topology.kubernetes.io/zone - # operator: In - # values: - # - zonea - # - zoneb - - # -- Default [TopologySpreadConstraints] rules for all components - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Deployment strategy for all deployed Deployments - deploymentStrategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - - # -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP - # See configuration options at https://goauthentik.io/docs/installation/configuration/ - # @default -- `[]` (See [values.yaml]) - env: - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - name: authentik-secret - key: secret-key - - name: AUTHENTIK_POSTGRESQL__PASSWORD - valueFrom: - secretKeyRef: - name: authentik-secret - key: postgres-password - - name: AUTHENTIK_REDIS__PASSWORD - valueFrom: - secretKeyRef: - name: authentik-secret - key: redis-password - # - name: AUTHENTIK_VAR_NAME - # value: VALUE - # - name: AUTHENTIK_VAR_OTHER - # valueFrom: - # secretKeyRef: - # name: secret-name - # key: secret-key - # - name: AUTHENTIK_VAR_ANOTHER - # valueFrom: - # configMapKeyRef: - # name: config-map-name - # key: config-map-key - - # -- envFrom to pass to all deployed Deployments. Does not apply to GeoIP - # @default -- `[]` (See [values.yaml]) - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # -- Additional volumeMounts to all deployed Deployments. Does not apply to GeoIP - # @default -- `[]` (See [values.yaml]) - volumeMounts: [] - # - name: custom - # mountPath: /custom - - # -- Additional volumes to all deployed Deployments. - # @default -- `[]` (See [values.yaml]) - volumes: [] - # - name: custom - # emptyDir: {} - - - ## Authentik configuration - authentik: - # -- Log level for server and worker - log_level: info - # -- Secret key used for cookie singing and unique user IDs, - # don't change this after the first install - secret_key: "" - events: - context_processors: - # -- Path for the GeoIP City database. If the file doesn't exist, GeoIP features are disabled. - geoip: /geoip/GeoLite2-City.mmdb - # -- Path for the GeoIP ASN database. If the file doesn't exist, GeoIP features are disabled. - asn: /geoip/GeoLite2-ASN.mmdb - email: - # -- SMTP Server emails are sent from, fully optional - host: "" - # -- SMTP server port - port: 587 - # -- SMTP credentials, when left empty, no authentication will be done - username: "" - # -- SMTP credentials, when left empty, no authentication will be done - password: "" - # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. - use_tls: false - # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. - use_ssl: false - # -- Connection timeout - timeout: 30 - # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " - from: "" - outposts: - # -- Template used for managed outposts. The following placeholders can be used - # %(type)s - the type of the outpost - # %(version)s - version of your authentik install - # %(build_hash)s - only for beta versions, the build hash of the image - container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s - error_reporting: - # -- This sends anonymous usage-data, stack traces on errors and - # performance data to sentry.beryju.org, and is fully opt-in - enabled: false - # -- This is a string that is sent to sentry with your error reports - environment: "k8s" - # -- Send PII (Personally identifiable information) data to sentry - send_pii: false - postgresql: - # -- set the postgresql hostname to talk to - # if unset and .Values.postgresql.enabled == true, will generate the default - # @default -- `{{ .Release.Name }}-postgresql` - host: "postgresql.postgresql.svc.cluster.local" - # -- postgresql Database name - # @default -- `authentik` - name: "authentik" - # -- postgresql Username - # @default -- `authentik` - user: "authentik" - #password: "" - port: 5432 - redis: - # -- set the redis hostname to talk to - # @default -- `{{ .Release.Name }}-redis-master` - host: "redis-master.redis-system.svc.cluster.local" - #host: "{{ .Release.Name }}-redis-master" - #password: "" - - - blueprints: - # -- List of config maps to mount blueprints from. - # Only keys in the configMap ending with `.yaml` will be discovered and applied. - configMaps: [] - # -- List of secrets to mount blueprints from. - # Only keys in the secret ending with `.yaml` will be discovered and applied. - secrets: [] - - - ## authentik server - server: - # -- authentik server name - name: server - - # -- The number of server pods to run - replicas: 1 - - ## authentik server Horizontal Pod Autoscaler - autoscaling: - # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik server - enabled: false - # -- Minimum number of replicas for the authentik server [HPA] - minReplicas: 1 - # -- Maximum number of replicas for the authentik server [HPA] - maxReplicas: 5 - # -- Average CPU utilization percentage for the authentik server [HPA] - targetCPUUtilizationPercentage: 50 - # -- Average memory utilization percentage for the authentik server [HPA] - targetMemoryUtilizationPercentage: ~ - # -- Configures the scaling behavior of the target in both Up and Down directions. - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - # -- Configures custom HPA metrics for the authentik server - # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - metrics: [] - - ## authentik server Pod Disruption Budget - ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - pdb: - # -- Deploy a [PodDistrubtionBudget] for the authentik server - enabled: false - # -- Labels to be added to the authentik server pdb - labels: {} - # -- Annotations to be added to the authentik server pdb - annotations: {} - # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) - # @default -- `""` (defaults to 0 if not specified) - minAvailable: "" - # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) - ## Has higher precedence over `server.pdb.minAvailable` - maxUnavailable: "" - - ## authentik server image - ## This should match what is deployed in the worker. Prefer using global.image - image: - # -- Repository to use to the authentik server - # @default -- `""` (defaults to global.image.repository) - repository: "" # defaults to global.image.repository - # -- Tag to use to the authentik server - # @default -- `""` (defaults to global.image.tag) - tag: "" # defaults to global.image.tag - # -- Digest to use to the authentik server - # @default -- `""` (defaults to global.image.digest) - digest: "" # defaults to global.image.digest - # -- Image pull policy to use to the authentik server - # @default -- `""` (defaults to global.image.pullPolicy) - pullPolicy: "" # defaults to global.image.pullPolicy - - # -- Secrets with credentials to pull images from a private registry - # @default -- `[]` (defaults to global.imagePullSecrets) - imagePullSecrets: [] - - # -- Environment variables to pass to the authentik server. Does not apply to GeoIP - # See configuration options at https://goauthentik.io/docs/installation/configuration/ - # @default -- `[]` (See [values.yaml]) - env: [] - # - name: AUTHENTIK_VAR_NAME - # value: VALUE - # - name: AUTHENTIK_VAR_OTHER - # valueFrom: - # secretKeyRef: - # name: secret-name - # key: secret-key - # - name: AUTHENTIK_VAR_ANOTHER - # valueFrom: - # configMapKeyRef: - # name: config-map-name - # key: config-map-key - - # -- envFrom to pass to the authentik server. Does not apply to GeoIP - # @default -- `[]` (See [values.yaml]) - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # -- Specify postStart and preStop lifecycle hooks for you authentik server container - lifecycle: {} - - # -- Additional containers to be added to the authentik server pod - ## Note: Supports use of custom Helm templates - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - - # -- Init containers to add to the authentik server pod - ## Note: Supports use of custom Helm templates - initContainers: [] - # - name: download-tools - # image: alpine:3 - # command: [sh, -c] - # args: - # - echo init - - # -- Additional volumeMounts to the authentik server main container - volumeMounts: [] - # - name: custom - # mountPath: /custom - - # -- Additional volumes to the authentik server pod - volumes: [] - # - name: custom - # emptyDir: {} - - # -- Annotations to be added to the authentik server Deployment - deploymentAnnotations: {} - - # -- Annotations to be added to the authentik server pods - podAnnotations: {} - - # -- Labels to be added to the authentik server pods - podLabels: {} - - # -- Resource limits and requests for the authentik server - resources: {} - # requests: - # cpu: 100m - # memory: 512Mi - # limits: - # memory: 512Mi - - # authentik server container ports - containerPorts: - # -- http container port - http: 9000 - # -- https container port - https: 9443 - # -- metrics container port - metrics: 9300 - - # -- Host Network for authentik server pods - hostNetwork: false - - # -- [DNS configuration] - dnsConfig: {} - # -- Alternative DNS policy for authentik server pods - dnsPolicy: "" - - # -- authentik server pod-level security context - # @default -- `{}` (See [values.yaml]) - securityContext: {} - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - - # -- authentik server container-level security context - # @default -- See [values.yaml] - containerSecurityContext: {} - # Not all of the following has been tested. Use at your own risk. - # runAsNonRoot: true - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false - # seccomProfile: - # type: RuntimeDefault - # capabilities: - # drop: - # - ALL - - ## Liveness, readiness and startup probes for authentik server - ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ - livenessProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 5 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 - ## Probe configuration - httpGet: - path: /-/health/live/ - port: http - - readinessProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 5 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 - ## Probe configuration - httpGet: - path: /-/health/ready/ - port: http - - startupProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 60 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 5 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 - ## Probe configuration - httpGet: - path: /-/health/live/ - port: http - - # -- terminationGracePeriodSeconds for container lifecycle hook - terminationGracePeriodSeconds: 30 - - # -- Prority class for the authentik server pods - # @default -- `""` (defaults to global.priorityClassName) - priorityClassName: "" - - # -- [Node selector] - # @default -- `{}` (defaults to global.nodeSelector) - nodeSelector: {} - - # -- [Tolerations] for use with node taints - # @default -- `[]` (defaults to global.tolerations) - tolerations: [] - - # -- Assign custom [affinity] rules to the deployment - # @default -- `{}` (defaults to the global.affinity preset) - affinity: {} - - # -- Assign custom [TopologySpreadConstraints] rules to the authentik server - # @default -- `[]` (defaults to global.topologySpreadConstraints) - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Deployment strategy to be added to the authentik server Deployment - # @default -- `{}` (defaults to global.deploymentStrategy) - deploymentStrategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - - ## authentik server service configuration - service: - # -- authentik server service annotations - annotations: {} - # -- authentik server service labels - labels: {} - # -- authentik server service type - type: LoadBalancer - # -- authentik server service http port for NodePort service type (only if `server.service.type` is set to `NodePort`) - nodePortHttp: 30080 - # -- authentik server service https port for NodePort service type (only if `server.service.type` is set to `NodePort`) - nodePortHttps: 30443 - # -- authentik server service http port - servicePortHttp: 80 - # -- authentik server service https port - servicePortHttps: 443 - # -- authentik server service http port name - servicePortHttpName: http - # -- authentik server service https port name - servicePortHttpsName: https - # -- authentik server service http port appProtocol - # servicePortHttpAppProtocol: HTTP - # -- authentik server service https port appProtocol - # servicePortHttpsAppProtocol: HTTPS - # -- LoadBalancer will get created with the IP specified in this field - loadBalancerIP: "" - # -- Source IP ranges to allow access to service from - loadBalancerSourceRanges: [] - # -- authentik server service external IPs - externalIPs: [] - # -- Denotes if this service desires to route external traffic to node-local or cluster-wide endpoints - externalTrafficPolicy: "" - # -- Used to maintain session affinity. Supports `ClientIP` and `None` - sessionAffinity: "" - # -- Session affinity configuration - sessionAffinityConfig: {} - - ## authentik server metrics service configuration - metrics: - # -- deploy metrics service - enabled: true - service: - # -- metrics service type - type: ClusterIP - # -- metrics service clusterIP. `None` makes a "headless service" (no virtual IP) - clusterIP: "" - # -- metrics service annotations - annotations: {} - # -- metrics service labels - labels: {} - # -- metrics service port - servicePort: 9300 - # -- metrics service port name - portName: metrics - serviceMonitor: - # -- enable a prometheus ServiceMonitor - enabled: false - # -- Prometheus ServiceMonitor interval - interval: 30s - # -- Prometheus ServiceMonitor scrape timeout - scrapeTimeout: 3s - # -- Prometheus [RelabelConfigs] to apply to samples before scraping - relabelings: [] - # -- Prometheus [MetricsRelabelConfigs] to apply to samples before ingestion - metricRelabelings: [] - # -- Prometheus ServiceMonitor selector - selector: {} - # prometheus: kube-prometheus - - # -- Prometheus ServiceMonitor scheme - scheme: "" - # -- Prometheus ServiceMonitor tlsConfig - tlsConfig: {} - # -- Prometheus ServiceMonitor namespace - namespace: "" - # -- Prometheus ServiceMonitor labels - labels: {} - # -- Prometheus ServiceMonitor annotations - annotations: {} - - ingress: - # -- enable an ingress resource for the authentik server - enabled: false - # -- additional ingress annotations - annotations: {} - # -- additional ingress labels - labels: {} - # -- defines which ingress controller will implement the resource - ingressClassName: "" - # -- List of ingress hosts - hosts: [] - # - authentik.domain.tld - - # -- List of ingress paths - paths: - - / - # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` - pathType: Prefix - # -- additional ingress paths - extraPaths: [] - # - path: /* - # pathType: Prefix - # backend: - # service: - # name: ssl-redirect - # port: - # name: use-annotation - - # -- ingress TLS configuration - tls: [] - # - secretName: authentik-tls - # hosts: - # - authentik.domain.tld - - # -- uses `server.service.servicePortHttps` instead of `server.service.servicePortHttp` - https: false - - - ## authentik worker - worker: - # -- authentik worker name - name: worker - - # -- The number of worker pods to run - replicas: 1 - - ## authentik worker Horizontal Pod Autoscaler - autoscaling: - # -- Enable Horizontal Pod Autoscaler ([HPA]) for the authentik worker - enabled: true - # -- Minimum number of replicas for the authentik worker [HPA] - minReplicas: 1 - # -- Maximum number of replicas for the authentik worker [HPA] - maxReplicas: 5 - # -- Average CPU utilization percentage for the authentik worker [HPA] - targetCPUUtilizationPercentage: 50 - # -- Average memory utilization percentage for the authentik worker [HPA] - targetMemoryUtilizationPercentage: ~ - # -- Configures the scaling behavior of the target in both Up and Down directions. - behavior: {} - # scaleDown: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 1 - # periodSeconds: 180 - # scaleUp: - # stabilizationWindowSeconds: 300 - # policies: - # - type: Pods - # value: 2 - # periodSeconds: 60 - # -- Configures custom HPA metrics for the authentik worker - # Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ - metrics: [] - - ## authentik worker Pod Disruption Budget - ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ - pdb: - # -- Deploy a [PodDistrubtionBudget] for the authentik worker - enabled: false - # -- Labels to be added to the authentik worker pdb - labels: {} - # -- Annotations to be added to the authentik worker pdb - annotations: {} - # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) - # @default -- `""` (defaults to 0 if not specified) - minAvailable: "" - # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) - ## Has higher precedence over `worker.pdb.minAvailable` - maxUnavailable: "" - - ## authentik worker image - ## This should match what is deployed in the server. Prefer using global.image - image: - # -- Repository to use to the authentik worker - # @default -- `""` (defaults to global.image.repository) - repository: "" # defaults to global.image.repository - # -- Tag to use to the authentik worker - # @default -- `""` (defaults to global.image.tag) - tag: "" # defaults to global.image.tag - # -- Digest to use to the authentik worker - # @default -- `""` (defaults to global.image.digest) - digest: "" # defaults to global.image.digest - # -- Image pull policy to use to the authentik worker - # @default -- `""` (defaults to global.image.pullPolicy) - pullPolicy: "" # defaults to global.image.pullPolicy - - # -- Secrets with credentials to pull images from a private registry - # @default -- `[]` (defaults to global.imagePullSecrets) - imagePullSecrets: [] - - # -- Environment variables to pass to the authentik worker. Does not apply to GeoIP - # See configuration options at https://goauthentik.io/docs/installation/configuration/ - # @default -- `[]` (See [values.yaml]) - env: - - name: AUTHENTIK_REDIS__DB - value: "1" - # - name: AUTHENTIK_VAR_NAME - # value: VALUE - # - name: AUTHENTIK_VAR_OTHER - # valueFrom: - # secretKeyRef: - # name: secret-name - # key: secret-key - # - name: AUTHENTIK_VAR_ANOTHER - # valueFrom: - # configMapKeyRef: - # name: config-map-name - # key: config-map-key - - # -- envFrom to pass to the authentik worker. Does not apply to GeoIP - # @default -- `[]` (See [values.yaml]) - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # -- Specify postStart and preStop lifecycle hooks for you authentik worker container - lifecycle: {} - - # -- Additional containers to be added to the authentik worker pod - ## Note: Supports use of custom Helm templates - extraContainers: [] - # - name: my-sidecar - # image: nginx:latest - - # -- Init containers to add to the authentik worker pod - ## Note: Supports use of custom Helm templates - initContainers: [] - # - name: download-tools - # image: alpine:3 - # command: [sh, -c] - # args: - # - echo init - - # -- Additional volumeMounts to the authentik worker main container - volumeMounts: [] - # - name: custom - # mountPath: /custom - - # -- Additional volumes to the authentik worker pod - volumes: [] - # - name: custom - # emptyDir: {} - - # -- Annotations to be added to the authentik worker Deployment - deploymentAnnotations: {} - - # -- Annotations to be added to the authentik worker pods - podAnnotations: {} - - # -- Labels to be added to the authentik worker pods - podLabels: {} - - # -- Resource limits and requests for the authentik worker - resources: {} - # requests: - # cpu: 100m - # memory: 512Mi - # limits: - # memory: 512Mi - - # -- Host Network for authentik worker pods - hostNetwork: false - - # -- [DNS configuration] - dnsConfig: {} - # -- Alternative DNS policy for authentik worker pods - dnsPolicy: "" - - # -- authentik worker pod-level security context - # @default -- `{}` (See [values.yaml]) - securityContext: {} - # runAsUser: 1000 - # runAsGroup: 1000 - # fsGroup: 1000 - - # -- authentik worker container-level security context - # @default -- See [values.yaml] - containerSecurityContext: {} - # Not all of the following has been tested. Use at your own risk. - # runAsNonRoot: true - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false - # seccomProfile: - # type: RuntimeDefault - # capabilities: - # drop: - # - ALL - - livenessProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 5 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 - ## Probe configuration - exec: - command: - - ak - - healthcheck - - readinessProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 3 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 5 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 - ## Probe configuration - exec: - command: - - ak - - healthcheck - - startupProbe: - # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded - failureThreshold: 60 - # -- Number of seconds after the container has started before [probe] is initiated - initialDelaySeconds: 30 - # -- How often (in seconds) to perform the [probe] - periodSeconds: 10 - # -- Minimum consecutive successes for the [probe] to be considered successful after having failed - successThreshold: 1 - # -- Number of seconds after which the [probe] times out - timeoutSeconds: 1 - ## Probe configuration - exec: - command: - - ak - - healthcheck - - # -- terminationGracePeriodSeconds for container lifecycle hook - terminationGracePeriodSeconds: 30 - - # -- Prority class for the authentik worker pods - # @default -- `""` (defaults to global.priorityClassName) - priorityClassName: "" - - # -- [Node selector] - # @default -- `{}` (defaults to global.nodeSelector) - nodeSelector: {} - - # -- [Tolerations] for use with node taints - # @default -- `[]` (defaults to global.tolerations) - tolerations: [] - - # -- Assign custom [affinity] rules to the deployment - # @default -- `{}` (defaults to the global.affinity preset) - affinity: {} - - # -- Assign custom [TopologySpreadConstraints] rules to the authentik worker - # @default -- `[]` (defaults to global.topologySpreadConstraints) - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ - ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment - topologySpreadConstraints: [] - # - maxSkew: 1 - # topologyKey: topology.kubernetes.io/zone - # whenUnsatisfiable: DoNotSchedule - - # -- Deployment strategy to be added to the authentik worker Deployment - # @default -- `{}` (defaults to global.deploymentStrategy) - deploymentStrategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 25% - # maxUnavailable: 25% - - - serviceAccount: - # -- Create service account. Needed for managed outposts - create: true - # -- additional service account annotations - annotations: {} - serviceAccountSecret: - # As we use the authentik-remote-cluster chart as subchart, and that chart - # creates a service account secret by default which we don't need here, - # disable its creation - enabled: false - fullnameOverride: authentik - - - geoip: - # -- enable GeoIP sidecars for the authentik server and worker pods - enabled: false - - editionIds: "GeoLite2-City GeoLite2-ASN" - # -- GeoIP update frequency, in hours - updateInterval: 8 - # -- sign up under https://www.maxmind.com/en/geolite2/signup - accountId: "" - # -- sign up under https://www.maxmind.com/en/geolite2/signup - licenseKey: "" - ## use existing secret instead of values above - existingSecret: - # -- name of an existing secret to use instead of values above - secretName: "" - # -- key in the secret containing the account ID - accountId: "account_id" - # -- key in the secret containing the license key - licenseKey: "license_key" - - image: - # -- If defined, a repository for GeoIP images - repository: ghcr.io/maxmind/geoipupdate - # -- If defined, a tag for GeoIP images - tag: v6.0.0 - # -- If defined, an image digest for GeoIP images - digest: "" - # -- If defined, an imagePullPolicy for GeoIP images - pullPolicy: IfNotPresent - - # -- Environment variables to pass to the GeoIP containers - # @default -- `[]` (See [values.yaml]) - env: [] - # - name: GEOIPUPDATE_VAR_NAME - # value: VALUE - # - name: GEOIPUPDATE_VAR_OTHER - # valueFrom: - # secretKeyRef: - # name: secret-name - # key: secret-key - # - name: GEOIPUPDATE_VAR_ANOTHER - # valueFrom: - # configMapKeyRef: - # name: config-map-name - # key: config-map-key - - # -- envFrom to pass to the GeoIP containers - # @default -- `[]` (See [values.yaml]) - envFrom: [] - # - configMapRef: - # name: config-map-name - # - secretRef: - # name: secret-name - - # -- Additional volumeMounts to the GeoIP containers. Make sure the volumes exists for the server and the worker. - volumeMounts: [] - # - name: custom - # mountPath: /custom - - # -- Resource limits and requests for GeoIP containers - resources: {} - # requests: - # cpu: 100m - # memory: 128Mi - # limits: - # memory: 128Mi - - # -- GeoIP container-level security context - # @default -- See [values.yaml] - containerSecurityContext: {} - # Not all of the following has been tested. Use at your own risk. - # runAsNonRoot: true - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false - # seccomProfile: - # type: RuntimeDefault - # capabilities: - # drop: - # - ALL - - - prometheus: - rules: - enabled: false - # -- PrometheusRule namespace - namespace: "" - # -- PrometheusRule selector - selector: {} - # prometheus: kube-prometheus - - # -- PrometheusRule labels - labels: {} - # -- PrometheusRule annotations - annotations: {} - - - postgresql: - # -- enable the Bitnami PostgreSQL chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/postgresql/ for possible values. - enabled: false - auth: - username: authentik - database: authentik - # password: "" - primary: - extendedConfiguration: | - max_connections = 500 - # persistence: - # enabled: true - # storageClass: - # accessModes: - # - ReadWriteOnce - - - redis: - # -- enable the Bitnami Redis chart. Refer to https://github.com/bitnami/charts/blob/main/bitnami/redis/ for possible values. - enabled: false - architecture: standalone - auth: - enabled: false - - - # -- additional resources to deploy. Those objects are templated. - additionalObjects: [] - diff --git a/cluster/authentik/sealed-secret.yaml b/cluster/authentik/sealed-secret.yaml deleted file mode 100644 index 1350d03..0000000 --- a/cluster/authentik/sealed-secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - creationTimestamp: null - name: authentik-secret - namespace: authentik -spec: - encryptedData: - postgres-password: AgAMy24eO6S45eGelPTwjEk+JpnQmX/OroOp8KpcMFTI/sOLQYog3LAcqlMbPYITGKUrpPLfLZbdocSK1CY23oG900V6PmhvpLFcslKWpo7JyLc0B5fiYM2ZkEPbbmJXzfe8pw/4mimoZvypNP1xY+S8GvrZhg6FczWGLHv2K/Cr1Xfxe+oRYfrzDoANBoToJcRjeahYzfaE02NSKQj1RExuGaTQiAhPdUziz3BPmVYWx0cBF+kqBQN/zwTYQ3IgI784aDuJ703lvFHaJJYFdoKGvAWuhJDURthw65D4LEbxB9lFXtmqmmyLdMD8b8Qb0w6iS8vKAnoYBOxuW6KPHCFjtOsHoAqBHvEy+W8n8MHZPYRONy7s7DNQQmY6zsh8AJ0WFW33OlA2vADUnqwYFEoO5p8cLBCiNxSwpsMC4pE5oHbCGQin79zDGSkJS6hZSEZXA+CRkQ/RJWXRto5fzIQBGQyUi5TXKf+A+NGj7nSh54e4fZPFk5MgslPMESPgXL7qJr88LRwhBuBEJVBWVumSX/gTWVEt9+8XknQc00N2OoEMU+GaLbRd2LLjrhSykvSp7mFGA+rfRHIwTtUDDJcfSdMfQVDqS2OtFrlZVj5nA6Ls3hbes/IHt7LjSANV5BqC99wbqLkkl1WyH0SXl5xJ6UMeYw2VFzGcWQ3FDgdncI94M0yprVbSjApD2wwLHwJAAztLVxL42yW9E/QBi4oozKxK231fm+0= - redis-password: AgBLzqi336o4mFXTOjAUrTJwETKe3Ec3mIFYK0Td+BD2gZ3TLsacMgzKbFf0uEcKwCPlOUrfCY1F/GfnkV7334ChQikaGKNXEDgSOCwRmeSotfbI1PKwFuageEJtNfCedr0QjReVuaONb8MrbPx+c3G5g3WV4jh/h37Vo4HMwmvxlGO15wYGAXwKWhSW8ydtg2OA6BDv9nVNC1+NBw2VmZYxgAxjfhWZWQlrwNGUy3D/ksLgGuEjpHWB1UApDr1QmwA49PuuiirSKsZwUKxaT/vv5tJLYqvMYQGT0Xjkp1q6+4TEXcERgZ4LNcPGSP6W8KvUyXkILR3gRZp8jra4+4kLorAViOPmCkCYF88I1zUXT47qFt+9ATZHZAKGN78eqK61fwD/GFOlj8ZJrqTztSsz77R63ixrWgHW3NxMbwXGJfZN29uVz54dzw0C6MKOxmwBz7+iAqUOco1qqR4y9HYUagwgxVu1uPLR5dXT6GsKRcr07v/toq8dotq50wt0yXibQQniamWq/OEj0QWHk9VWE1YyJ/CfaRg2BPAh74qlRu3SoNewfQ3cYIXqoSPhmtxvIkylXaSZ5mGqRt6orTFfj8sPkUN/HF//6txy/XPeYkayAt7MCy2ekxTBZuvu27cITti3jXlUUM4+489OR3L3kpU6HTCzoZOC7xNXUPGvPnmtNLL4bMWf9534588Wna6S86dh5lZYETbVrI6krAcP0Mny1o/Kef0= - secret-key: AgBZT4cKd4Qkj5SNOuuKWm/Dk8b4Ry1EqCXHgN0esOI1pdlb21g5+Q2rrgYFC2K6UYxO1yoO26eFAMbyWFUk/OPodKQqsWvT7QcklHOMT6h7BtETGw3WEyiVzVW77I8z1J07aBj234JuYsUirmFLBs6WcBRpz8Md2bE4ps6kaSENpaBg5YBzBwZZRniZO6Pt44X/JzOM5TMIvclU9TWgt/58lCxmgq31GfF5KihRgAEmWrHIUJAwo5lwgz0jwiYnlEuplxEHxgp0vb7OIW/HlTiWFhyNrS/YaD9JFghSiHVW4MvGscOU8929Se4vsucP6/TIPR9ZVkGUGaChD/DRv862YaURM68KlrFTFNDvLx4ds/p+4Cr1CbZR0B64EIi66wX2PFvpxaAvwU5Uta5lrjGkQKTvmf/qJCTMAcpg59T2PeTJHUcXavgb2iqrQQT3pJQ6qjf/jo5cKRjpIoFLSLFHXgtMq15QmM/RcSrEUpXbKCYzI2HK9+9XlaFa1Rrl0YJujhYYb8pbf7jOAkEfUU+dzbvYd7JLEQp78i7BuxM0vu9IItvZ0FTxi/fCeCC/I04Vjqu7kmQTWvf0V4OynOkhUOYiY6cRnE4ZVxeJJ6Gu2U5zdZk4O6Ex18Isw38E5VZWB9qJOV+V3zYaoOc61brIgAjOnYd7+CgqcSSPIgPcfmaiZcu1lGld2LZL70XaiBkAfg6nECMCNGnt3fuD3M+wNid+sdlVttwKjJSal8uxONboG8JJRrM9xwt2+T7akj4= - template: - metadata: - creationTimestamp: null - name: authentik-secret - namespace: authentik - type: Opaque diff --git a/cluster/static-site-hosts/tylerperkins.xyz.yaml b/cluster/static-site-hosts/tylerperkins.xyz.yaml new file mode 100644 index 0000000..d744689 --- /dev/null +++ b/cluster/static-site-hosts/tylerperkins.xyz.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tylerperkins.xyz + namespace: default +spec: + selector: + matchLabels: + app: static-site + template: + metadata: + labels: + app: static-site + spec: + containers: + - name: tylerperkins-xyz + image: git.clortox.com/infrastructure/tylerperkins.xyz:0.0.2 + ports: + - name: http + containerPort: 80 + protocol: TCP