Add Authentik identity provider deployment
- Helm chart authentik 2026.5.3 with 3 server replicas, 2 worker replicas - CNPG PostgreSQL cluster (3 instances) with rw and ro poolers (2 instances each) - Redis with 5Gi persistent storage - Gateway API: identity.unkin.net and identity.k8s.syd1.au.unkin.net (HTTPS) - LDAPS via TLSRoute on ldap.k8s.syd1.au.unkin.net and ldap.main.unkin.net - Multi-SAN TLS via cert-manager gateway integration - S3 storage via RadosGW (bucket: authentik) - Vault secrets: postgres-credentials, authentik-credentials, s3-credentials - Woodpecker ServiceAccount for terraform-authentik CI - Platform applicationset and project updated
This commit is contained in:
@@ -0,0 +1,14 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- ../../../base/authentik
|
||||
|
||||
helmCharts:
|
||||
- name: authentik
|
||||
repo: https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
|
||||
version: "2026.5.3"
|
||||
releaseName: authentik
|
||||
namespace: authentik
|
||||
valuesFile: values.yaml
|
||||
@@ -0,0 +1,105 @@
|
||||
global:
|
||||
env:
|
||||
# PostgreSQL primary (via pooler)
|
||||
- name: AUTHENTIK_POSTGRESQL__HOST
|
||||
value: postgres-pooler-rw
|
||||
- name: AUTHENTIK_POSTGRESQL__PORT
|
||||
value: "5432"
|
||||
- name: AUTHENTIK_POSTGRESQL__NAME
|
||||
value: authentik
|
||||
- name: AUTHENTIK_POSTGRESQL__USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-credentials
|
||||
key: username
|
||||
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-credentials
|
||||
key: password
|
||||
# PostgreSQL read replica (via pooler)
|
||||
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST
|
||||
value: postgres-pooler-ro
|
||||
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT
|
||||
value: "5432"
|
||||
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME
|
||||
value: authentik
|
||||
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-credentials
|
||||
key: username
|
||||
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: postgres-credentials
|
||||
key: password
|
||||
# PostgreSQL pooler settings
|
||||
- name: AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS
|
||||
value: "true"
|
||||
- name: AUTHENTIK_POSTGRESQL__CONN_MAX_AGE
|
||||
value: "0"
|
||||
- name: AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS
|
||||
value: "true"
|
||||
# Redis
|
||||
- name: AUTHENTIK_REDIS__HOST
|
||||
value: redis
|
||||
- name: AUTHENTIK_REDIS__PORT
|
||||
value: "6379"
|
||||
# S3 storage
|
||||
- name: AUTHENTIK_STORAGE__BACKEND
|
||||
value: s3
|
||||
- name: AUTHENTIK_STORAGE__S3__ENDPOINT
|
||||
value: https://radosgw.service.consul/
|
||||
- name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
|
||||
value: authentik
|
||||
- name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE
|
||||
value: path
|
||||
- name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: s3-credentials
|
||||
key: AUTHENTIK_STORAGE__S3__ACCESS_KEY
|
||||
- name: AUTHENTIK_STORAGE__S3__SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: s3-credentials
|
||||
key: AUTHENTIK_STORAGE__S3__SECRET_KEY
|
||||
# Secret key
|
||||
- name: AUTHENTIK_SECRET_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: authentik-credentials
|
||||
key: AUTHENTIK_SECRET_KEY
|
||||
|
||||
server:
|
||||
replicas: 3
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
ingress:
|
||||
enabled: false
|
||||
resources:
|
||||
limits:
|
||||
cpu: "2"
|
||||
memory: 2Gi
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 512Mi
|
||||
|
||||
worker:
|
||||
replicas: 2
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
resources:
|
||||
limits:
|
||||
cpu: "2"
|
||||
memory: 2Gi
|
||||
requests:
|
||||
cpu: 250m
|
||||
memory: 512Mi
|
||||
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
redis:
|
||||
enabled: false
|
||||
Reference in New Issue
Block a user