From 1c8f061b319816a215b0f0b9a8aa74143560a303 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Jun 2026 12:40:38 +1000 Subject: [PATCH] Add Authentik identity provider deployment - Helm chart authentik 2026.5.3 with 3 server replicas, 2 worker replicas - CNPG PostgreSQL cluster (3 instances) with rw and ro poolers (2 instances each) - Redis with 5Gi persistent storage - Gateway API: identity.unkin.net and identity.k8s.syd1.au.unkin.net (HTTPS) - LDAPS via TLSRoute on ldap.k8s.syd1.au.unkin.net and ldap.main.unkin.net - Multi-SAN TLS via cert-manager gateway integration - S3 storage via RadosGW (bucket: authentik) - Vault secrets: postgres-credentials, authentik-credentials, s3-credentials - Woodpecker ServiceAccount for terraform-authentik CI - Platform applicationset and project updated --- apps/base/authentik/cnpg_cluster.yaml | 91 +++++++++++++++ apps/base/authentik/cnpg_pooler.yaml | 66 +++++++++++ apps/base/authentik/gateway.yaml | 57 ++++++++++ apps/base/authentik/httproute.yaml | 59 ++++++++++ apps/base/authentik/kustomization.yaml | 19 ++++ apps/base/authentik/ldap-gateway.yaml | 47 ++++++++ apps/base/authentik/ldap-httproute.yaml | 32 ++++++ apps/base/authentik/ldap-service.yaml | 18 +++ apps/base/authentik/ldap-tlsroute.yaml | 26 +++++ apps/base/authentik/namespace.yaml | 5 + apps/base/authentik/redis-deployment.yaml | 58 ++++++++++ apps/base/authentik/redis-pvc.yaml | 13 +++ apps/base/authentik/redis-service.yaml | 17 +++ apps/base/authentik/vaultauth.yaml | 18 +++ apps/base/authentik/vaultstaticsecret.yaml | 51 +++++++++ apps/base/woodpecker/kustomization.yaml | 1 + .../serviceaccount_terraform_authentik.yaml | 6 + .../au-syd1/authentik/kustomization.yaml | 14 +++ apps/overlays/au-syd1/authentik/values.yaml | 105 ++++++++++++++++++ argocd/applicationsets/platform.yaml | 1 + argocd/projects/platform.yaml | 1 + 21 files changed, 705 insertions(+) create mode 100644 apps/base/authentik/cnpg_cluster.yaml create mode 100644 apps/base/authentik/cnpg_pooler.yaml create mode 100644 apps/base/authentik/gateway.yaml create mode 100644 apps/base/authentik/httproute.yaml create mode 100644 apps/base/authentik/kustomization.yaml create mode 100644 apps/base/authentik/ldap-gateway.yaml create mode 100644 apps/base/authentik/ldap-httproute.yaml create mode 100644 apps/base/authentik/ldap-service.yaml create mode 100644 apps/base/authentik/ldap-tlsroute.yaml create mode 100644 apps/base/authentik/namespace.yaml create mode 100644 apps/base/authentik/redis-deployment.yaml create mode 100644 apps/base/authentik/redis-pvc.yaml create mode 100644 apps/base/authentik/redis-service.yaml create mode 100644 apps/base/authentik/vaultauth.yaml create mode 100644 apps/base/authentik/vaultstaticsecret.yaml create mode 100644 apps/base/woodpecker/serviceaccount_terraform_authentik.yaml create mode 100644 apps/overlays/au-syd1/authentik/kustomization.yaml create mode 100644 apps/overlays/au-syd1/authentik/values.yaml diff --git a/apps/base/authentik/cnpg_cluster.yaml b/apps/base/authentik/cnpg_cluster.yaml new file mode 100644 index 0000000..dbb5e18 --- /dev/null +++ b/apps/base/authentik/cnpg_cluster.yaml @@ -0,0 +1,91 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: postgres + namespace: authentik +spec: + affinity: + podAntiAffinityType: preferred + bootstrap: + initdb: + database: authentik + encoding: UTF8 + localeCType: C + localeCollate: C + owner: authentik + secret: + name: postgres-credentials + enablePDB: true + enableSuperuserAccess: false + failoverDelay: 0 + imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie + instances: 3 + logLevel: info + maxSyncReplicas: 0 + minSyncReplicas: 0 + monitoring: + customQueriesConfigMap: + - key: queries + name: cnpg-default-monitoring + disableDefaultQueries: false + enablePodMonitor: false + postgresql: + parameters: + archive_mode: "on" + archive_timeout: 5min + dynamic_shared_memory_type: posix + effective_cache_size: 256MB + full_page_writes: "on" + log_destination: csvlog + log_directory: /controller/log + log_filename: postgres + log_rotation_age: "0" + log_rotation_size: "0" + log_truncate_on_rotation: "false" + logging_collector: "on" + max_connections: "200" + max_parallel_workers: "16" + max_replication_slots: "16" + max_worker_processes: "16" + shared_buffers: 128MB + shared_memory_type: mmap + ssl_max_protocol_version: TLSv1.3 + ssl_min_protocol_version: TLSv1.3 + wal_keep_size: 256MB + wal_level: logical + wal_log_hints: "on" + wal_receiver_timeout: 5s + wal_sender_timeout: 5s + syncReplicaElectionConstraint: + enabled: false + primaryUpdateMethod: restart + primaryUpdateStrategy: unsupervised + probes: + liveness: + isolationCheck: + connectionTimeout: 1000 + enabled: true + requestTimeout: 1000 + replicationSlots: + highAvailability: + enabled: true + slotPrefix: _cnpg_ + synchronizeReplicas: + enabled: true + updateInterval: 30 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 256Mi + smartShutdownTimeout: 180 + startDelay: 3600 + stopDelay: 1800 + storage: + resizeInUseVolumes: true + size: 20Gi + storageClass: cephrbd-fast-delete + switchoverDelay: 3600 diff --git a/apps/base/authentik/cnpg_pooler.yaml b/apps/base/authentik/cnpg_pooler.yaml new file mode 100644 index 0000000..b657a60 --- /dev/null +++ b/apps/base/authentik/cnpg_pooler.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Pooler +metadata: + name: postgres-pooler-rw + namespace: authentik +spec: + cluster: + name: postgres + instances: 2 + pgbouncer: + parameters: + default_pool_size: "100" + max_client_conn: "400" + paused: false + poolMode: session + template: + metadata: + labels: + app: pooler-rw + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - pooler-rw + topologyKey: kubernetes.io/hostname + containers: [] + type: rw +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Pooler +metadata: + name: postgres-pooler-ro + namespace: authentik +spec: + cluster: + name: postgres + instances: 2 + pgbouncer: + parameters: + default_pool_size: "100" + max_client_conn: "400" + paused: false + poolMode: session + template: + metadata: + labels: + app: pooler-ro + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - pooler-ro + topologyKey: kubernetes.io/hostname + containers: [] + type: ro diff --git a/apps/base/authentik/gateway.yaml b/apps/base/authentik/gateway.yaml new file mode 100644 index 0000000..bc13062 --- /dev/null +++ b/apps/base/authentik/gateway.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + labels: + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: identity.unkin.net + cert-manager.io/private-key-size: "4096" + external-dns.alpha.kubernetes.io/hostname: identity.unkin.net,identity.k8s.syd1.au.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 + name: authentik + namespace: authentik +spec: + gatewayClassName: traefik-internal + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: identity.unkin.net + name: http + port: 80 + protocol: HTTP + - allowedRoutes: + namespaces: + from: Same + hostname: identity.unkin.net + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: "" + kind: Secret + name: authentik-tls + mode: Terminate + - allowedRoutes: + namespaces: + from: Same + hostname: identity.k8s.syd1.au.unkin.net + name: http-internal + port: 80 + protocol: HTTP + - allowedRoutes: + namespaces: + from: Same + hostname: identity.k8s.syd1.au.unkin.net + name: https-internal + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: "" + kind: Secret + name: authentik-tls + mode: Terminate diff --git a/apps/base/authentik/httproute.yaml b/apps/base/authentik/httproute.yaml new file mode 100644 index 0000000..bd4892e --- /dev/null +++ b/apps/base/authentik/httproute.yaml @@ -0,0 +1,59 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: authentik-http-redirect + namespace: authentik +spec: + hostnames: + - identity.unkin.net + - identity.k8s.syd1.au.unkin.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik + sectionName: http + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik + sectionName: http-internal + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: authentik + namespace: authentik +spec: + hostnames: + - identity.unkin.net + - identity.k8s.syd1.au.unkin.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik + sectionName: https + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik + sectionName: https-internal + rules: + - backendRefs: + - group: "" + kind: Service + name: authentik-server + port: 80 + weight: 1 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/authentik/kustomization.yaml b/apps/base/authentik/kustomization.yaml new file mode 100644 index 0000000..3c58eee --- /dev/null +++ b/apps/base/authentik/kustomization.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - cnpg_cluster.yaml + - cnpg_pooler.yaml + - gateway.yaml + - httproute.yaml + - ldap-gateway.yaml + - ldap-httproute.yaml + - ldap-service.yaml + - ldap-tlsroute.yaml + - namespace.yaml + - redis-deployment.yaml + - redis-pvc.yaml + - redis-service.yaml + - vaultauth.yaml + - vaultstaticsecret.yaml diff --git a/apps/base/authentik/ldap-gateway.yaml b/apps/base/authentik/ldap-gateway.yaml new file mode 100644 index 0000000..917afd1 --- /dev/null +++ b/apps/base/authentik/ldap-gateway.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + labels: + traefik.io/instance: internal + annotations: + cert-manager.io/cluster-issuer: vault-issuer + cert-manager.io/common-name: ldap.k8s.syd1.au.unkin.net + cert-manager.io/private-key-size: "4096" + name: authentik-ldap + namespace: authentik +spec: + gatewayClassName: traefik-internal + listeners: + - allowedRoutes: + namespaces: + from: Same + hostname: ldap.k8s.syd1.au.unkin.net + name: ldaps-internal + port: 636 + protocol: TLS + tls: + mode: Passthrough + - allowedRoutes: + namespaces: + from: Same + hostname: ldap.main.unkin.net + name: ldaps-main + port: 636 + protocol: TLS + tls: + mode: Passthrough + - allowedRoutes: + namespaces: + from: Same + hostname: ldap.k8s.syd1.au.unkin.net + name: http-dns + port: 80 + protocol: HTTP + - allowedRoutes: + namespaces: + from: Same + hostname: ldap.main.unkin.net + name: http-dns-main + port: 80 + protocol: HTTP diff --git a/apps/base/authentik/ldap-httproute.yaml b/apps/base/authentik/ldap-httproute.yaml new file mode 100644 index 0000000..4f799e0 --- /dev/null +++ b/apps/base/authentik/ldap-httproute.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: authentik-ldap-dns + namespace: authentik + annotations: + external-dns.alpha.kubernetes.io/hostname: ldap.k8s.syd1.au.unkin.net,ldap.main.unkin.net + external-dns.alpha.kubernetes.io/target: 198.18.200.4 +spec: + hostnames: + - ldap.k8s.syd1.au.unkin.net + - ldap.main.unkin.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik-ldap + sectionName: http-dns + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik-ldap + sectionName: http-dns-main + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 + matches: + - path: + type: PathPrefix + value: / diff --git a/apps/base/authentik/ldap-service.yaml b/apps/base/authentik/ldap-service.yaml new file mode 100644 index 0000000..b9c4079 --- /dev/null +++ b/apps/base/authentik/ldap-service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: authentik-ldap + namespace: authentik +spec: + internalTrafficPolicy: Cluster + ports: + - name: ldaps + port: 6636 + protocol: TCP + targetPort: 6636 + selector: + app.kubernetes.io/name: authentik + app.kubernetes.io/component: ldap + sessionAffinity: None + type: ClusterIP diff --git a/apps/base/authentik/ldap-tlsroute.yaml b/apps/base/authentik/ldap-tlsroute.yaml new file mode 100644 index 0000000..73b99fe --- /dev/null +++ b/apps/base/authentik/ldap-tlsroute.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: gateway.networking.k8s.io/v1alpha2 +kind: TLSRoute +metadata: + name: authentik-ldaps + namespace: authentik +spec: + hostnames: + - ldap.k8s.syd1.au.unkin.net + - ldap.main.unkin.net + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik-ldap + sectionName: ldaps-internal + - group: gateway.networking.k8s.io + kind: Gateway + name: authentik-ldap + sectionName: ldaps-main + rules: + - backendRefs: + - group: "" + kind: Service + name: authentik-ldap + port: 6636 + weight: 1 diff --git a/apps/base/authentik/namespace.yaml b/apps/base/authentik/namespace.yaml new file mode 100644 index 0000000..ae71e15 --- /dev/null +++ b/apps/base/authentik/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: authentik diff --git a/apps/base/authentik/redis-deployment.yaml b/apps/base/authentik/redis-deployment.yaml new file mode 100644 index 0000000..2c1d251 --- /dev/null +++ b/apps/base/authentik/redis-deployment.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis + namespace: authentik +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + containers: + - name: redis + image: redis:7-alpine + imagePullPolicy: IfNotPresent + args: + - --save + - "20" + - "1" + ports: + - containerPort: 6379 + name: redis + protocol: TCP + livenessProbe: + exec: + command: + - redis-cli + - ping + initialDelaySeconds: 5 + periodSeconds: 10 + readinessProbe: + exec: + command: + - redis-cli + - ping + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 50m + memory: 128Mi + volumeMounts: + - mountPath: /data + name: redis-data + volumes: + - name: redis-data + persistentVolumeClaim: + claimName: redis-data diff --git a/apps/base/authentik/redis-pvc.yaml b/apps/base/authentik/redis-pvc.yaml new file mode 100644 index 0000000..80af100 --- /dev/null +++ b/apps/base/authentik/redis-pvc.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: redis-data + namespace: authentik +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + storageClassName: cephrbd-fast-delete diff --git a/apps/base/authentik/redis-service.yaml b/apps/base/authentik/redis-service.yaml new file mode 100644 index 0000000..4486cc0 --- /dev/null +++ b/apps/base/authentik/redis-service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: redis + namespace: authentik +spec: + internalTrafficPolicy: Cluster + ports: + - name: redis + port: 6379 + protocol: TCP + targetPort: redis + selector: + app: redis + sessionAffinity: None + type: ClusterIP diff --git a/apps/base/authentik/vaultauth.yaml b/apps/base/authentik/vaultauth.yaml new file mode 100644 index 0000000..9617dae --- /dev/null +++ b/apps/base/authentik/vaultauth.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: default + namespace: authentik +spec: + allowedNamespaces: + - authentik + kubernetes: + audiences: + - vault + role: default + serviceAccount: default + tokenExpirationSeconds: 600 + method: kubernetes + mount: k8s/au/syd1 + vaultConnectionRef: vso-system/default diff --git a/apps/base/authentik/vaultstaticsecret.yaml b/apps/base/authentik/vaultstaticsecret.yaml new file mode 100644 index 0000000..db10835 --- /dev/null +++ b/apps/base/authentik/vaultstaticsecret.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: postgres-credentials + namespace: authentik +spec: + destination: + create: true + name: postgres-credentials + overwrite: true + hmacSecretData: true + mount: kv + path: kubernetes/namespace/authentik/default/postgres-credentials + refreshAfter: 5m + type: kv-v2 + vaultAuthRef: default +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: authentik-credentials + namespace: authentik +spec: + destination: + create: true + name: authentik-credentials + overwrite: true + hmacSecretData: true + mount: kv + path: kubernetes/namespace/authentik/default/authentik-credentials + refreshAfter: 5m + type: kv-v2 + vaultAuthRef: default +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: s3-credentials + namespace: authentik +spec: + destination: + create: true + name: s3-credentials + overwrite: true + hmacSecretData: true + mount: kv + path: kubernetes/namespace/authentik/default/s3-credentials + refreshAfter: 5m + type: kv-v2 + vaultAuthRef: default diff --git a/apps/base/woodpecker/kustomization.yaml b/apps/base/woodpecker/kustomization.yaml index 561d86d..be4c460 100644 --- a/apps/base/woodpecker/kustomization.yaml +++ b/apps/base/woodpecker/kustomization.yaml @@ -7,6 +7,7 @@ resources: - cnpg_cluster.yaml - cnpg_pooler.yaml - serviceaccount_terraform_artifactapi.yaml + - serviceaccount_terraform_authentik.yaml - serviceaccount_terraform_git.yaml - serviceaccount_terraform_vault.yaml - vaultauth.yaml diff --git a/apps/base/woodpecker/serviceaccount_terraform_authentik.yaml b/apps/base/woodpecker/serviceaccount_terraform_authentik.yaml new file mode 100644 index 0000000..4decf81 --- /dev/null +++ b/apps/base/woodpecker/serviceaccount_terraform_authentik.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: terraform-authentik + namespace: woodpecker diff --git a/apps/overlays/au-syd1/authentik/kustomization.yaml b/apps/overlays/au-syd1/authentik/kustomization.yaml new file mode 100644 index 0000000..d8fc841 --- /dev/null +++ b/apps/overlays/au-syd1/authentik/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - ../../../base/authentik + +helmCharts: + - name: authentik + repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm + version: "2026.5.3" + releaseName: authentik + namespace: authentik + valuesFile: values.yaml diff --git a/apps/overlays/au-syd1/authentik/values.yaml b/apps/overlays/au-syd1/authentik/values.yaml new file mode 100644 index 0000000..cd4d5c2 --- /dev/null +++ b/apps/overlays/au-syd1/authentik/values.yaml @@ -0,0 +1,105 @@ +global: + env: + # PostgreSQL primary (via pooler) + - name: AUTHENTIK_POSTGRESQL__HOST + value: postgres-pooler-rw + - name: AUTHENTIK_POSTGRESQL__PORT + value: "5432" + - name: AUTHENTIK_POSTGRESQL__NAME + value: authentik + - name: AUTHENTIK_POSTGRESQL__USER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: username + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: postgres-credentials + key: password + # PostgreSQL read replica (via pooler) + - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST + value: postgres-pooler-ro + - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT + value: "5432" + - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME + value: authentik + - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER + valueFrom: + secretKeyRef: + name: postgres-credentials + key: username + - name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD + valueFrom: + secretKeyRef: + name: postgres-credentials + key: password + # PostgreSQL pooler settings + - name: AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS + value: "true" + - name: AUTHENTIK_POSTGRESQL__CONN_MAX_AGE + value: "0" + - name: AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS + value: "true" + # Redis + - name: AUTHENTIK_REDIS__HOST + value: redis + - name: AUTHENTIK_REDIS__PORT + value: "6379" + # S3 storage + - name: AUTHENTIK_STORAGE__BACKEND + value: s3 + - name: AUTHENTIK_STORAGE__S3__ENDPOINT + value: https://radosgw.service.consul/ + - name: AUTHENTIK_STORAGE__S3__BUCKET_NAME + value: authentik + - name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE + value: path + - name: AUTHENTIK_STORAGE__S3__ACCESS_KEY + valueFrom: + secretKeyRef: + name: s3-credentials + key: AUTHENTIK_STORAGE__S3__ACCESS_KEY + - name: AUTHENTIK_STORAGE__S3__SECRET_KEY + valueFrom: + secretKeyRef: + name: s3-credentials + key: AUTHENTIK_STORAGE__S3__SECRET_KEY + # Secret key + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: authentik-credentials + key: AUTHENTIK_SECRET_KEY + +server: + replicas: 3 + annotations: + reloader.stakater.com/auto: "true" + ingress: + enabled: false + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 512Mi + +worker: + replicas: 2 + annotations: + reloader.stakater.com/auto: "true" + resources: + limits: + cpu: "2" + memory: 2Gi + requests: + cpu: 250m + memory: 512Mi + +postgresql: + enabled: false + +redis: + enabled: false diff --git a/argocd/applicationsets/platform.yaml b/argocd/applicationsets/platform.yaml index 3d35ef2..1a3bb85 100644 --- a/argocd/applicationsets/platform.yaml +++ b/argocd/applicationsets/platform.yaml @@ -10,6 +10,7 @@ spec: repoURL: https://git.unkin.net/unkin/argocd-apps revision: HEAD directories: + - path: apps/overlays/*/authentik - path: apps/overlays/*/artifactapi - path: apps/overlays/*/age-api - path: apps/overlays/*/cattle-system diff --git a/argocd/projects/platform.yaml b/argocd/projects/platform.yaml index 5409868..72512ea 100644 --- a/argocd/projects/platform.yaml +++ b/argocd/projects/platform.yaml @@ -18,6 +18,7 @@ spec: - namespace: 'artifactapi' server: https://kubernetes.default.svc - namespace: 'age-api' + - namespace: 'authentik' server: https://kubernetes.default.svc - namespace: 'cert-manager' server: https://kubernetes.default.svc