Compare commits

..

1 Commits

Author SHA1 Message Date
unkinben 85172b92cb Add Authentik identity provider deployment
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
- Helm chart authentik 2026.5.3 with 3 server replicas, 2 worker replicas
- CNPG PostgreSQL cluster (3 instances) with rw and ro poolers (2 instances each)
- Redis with 5Gi persistent storage
- Gateway API: identity.unkin.net and identity.k8s.syd1.au.unkin.net (HTTPS)
- LDAPS via TLSRoute on ldap.k8s.syd1.au.unkin.net and ldap.main.unkin.net
- Multi-SAN TLS via cert-manager gateway integration
- S3 storage via RadosGW (bucket: authentik)
- Vault secrets: postgres-credentials, authentik-credentials, s3-credentials
- Woodpecker ServiceAccount for terraform-authentik CI
- Platform applicationset and project updated
2026-06-28 17:26:23 +10:00
7 changed files with 3 additions and 43 deletions
+1 -20
View File
@@ -35,7 +35,7 @@ spec:
mountPath: /combined-certs mountPath: /combined-certs
containers: containers:
- name: api - name: api
image: git.unkin.net/unkin/artifactapi:v3.7.3 image: git.unkin.net/unkin/artifactapi:v3.6.5
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 8000 - containerPort: 8000
@@ -48,25 +48,10 @@ spec:
- secretRef: - secretRef:
name: environment name: environment
optional: false optional: false
env:
# Terraform provider registry signing. The secret is mounted
# optional, so the pod runs before it exists; artifactapi keeps the
# registry disabled until a readable key is present.
- name: TF_SIGNING_KEY_PATH
value: /etc/artifactapi/tf-signing/private-key.asc
- name: TF_SIGNING_KEY_PASSPHRASE
valueFrom:
secretKeyRef:
name: artifactapi-tf-signing
key: passphrase
optional: true
volumeMounts: volumeMounts:
- name: combined-certs - name: combined-certs
mountPath: /etc/ssl/combined mountPath: /etc/ssl/combined
readOnly: true readOnly: true
- name: tf-signing-key
mountPath: /etc/artifactapi/tf-signing
readOnly: true
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
httpGet: httpGet:
@@ -103,8 +88,4 @@ spec:
path: ca.crt path: ca.crt
- name: combined-certs - name: combined-certs
emptyDir: {} emptyDir: {}
- name: tf-signing-key
secret:
secretName: artifactapi-tf-signing
optional: true
restartPolicy: Always restartPolicy: Always
+1 -1
View File
@@ -22,7 +22,7 @@ spec:
automountServiceAccountToken: true automountServiceAccountToken: true
containers: containers:
- name: ui - name: ui
image: git.unkin.net/unkin/artifactapi-ui:v3.7.3 image: git.unkin.net/unkin/artifactapi-ui:v3.6.5
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- containerPort: 80 - containerPort: 80
+1 -1
View File
@@ -1,5 +1,5 @@
--- ---
apiVersion: gateway.networking.k8s.io/v1 apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute kind: TLSRoute
metadata: metadata:
name: authentik-ldaps name: authentik-ldaps
-3
View File
@@ -9,9 +9,6 @@ resources:
- serviceaccount_terraform_artifactapi.yaml - serviceaccount_terraform_artifactapi.yaml
- serviceaccount_terraform_authentik.yaml - serviceaccount_terraform_authentik.yaml
- serviceaccount_terraform_git.yaml - serviceaccount_terraform_git.yaml
- serviceaccount_terraform_prowlarr.yaml
- serviceaccount_terraform_radarr.yaml
- serviceaccount_terraform_sonarr.yaml
- serviceaccount_terraform_vault.yaml - serviceaccount_terraform_vault.yaml
- vaultauth.yaml - vaultauth.yaml
- vaultstaticsecret.yaml - vaultstaticsecret.yaml
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-prowlarr
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-radarr
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-sonarr
namespace: woodpecker