Compare commits

..

1 Commits

Author SHA1 Message Date
unkinben 85172b92cb Add Authentik identity provider deployment
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
- Helm chart authentik 2026.5.3 with 3 server replicas, 2 worker replicas
- CNPG PostgreSQL cluster (3 instances) with rw and ro poolers (2 instances each)
- Redis with 5Gi persistent storage
- Gateway API: identity.unkin.net and identity.k8s.syd1.au.unkin.net (HTTPS)
- LDAPS via TLSRoute on ldap.k8s.syd1.au.unkin.net and ldap.main.unkin.net
- Multi-SAN TLS via cert-manager gateway integration
- S3 storage via RadosGW (bucket: authentik)
- Vault secrets: postgres-credentials, authentik-credentials, s3-credentials
- Woodpecker ServiceAccount for terraform-authentik CI
- Platform applicationset and project updated
2026-06-28 17:26:23 +10:00
7 changed files with 3 additions and 43 deletions
+1 -20
View File
@@ -35,7 +35,7 @@ spec:
mountPath: /combined-certs
containers:
- name: api
image: git.unkin.net/unkin/artifactapi:v3.7.3
image: git.unkin.net/unkin/artifactapi:v3.6.5
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8000
@@ -48,25 +48,10 @@ spec:
- secretRef:
name: environment
optional: false
env:
# Terraform provider registry signing. The secret is mounted
# optional, so the pod runs before it exists; artifactapi keeps the
# registry disabled until a readable key is present.
- name: TF_SIGNING_KEY_PATH
value: /etc/artifactapi/tf-signing/private-key.asc
- name: TF_SIGNING_KEY_PASSPHRASE
valueFrom:
secretKeyRef:
name: artifactapi-tf-signing
key: passphrase
optional: true
volumeMounts:
- name: combined-certs
mountPath: /etc/ssl/combined
readOnly: true
- name: tf-signing-key
mountPath: /etc/artifactapi/tf-signing
readOnly: true
livenessProbe:
failureThreshold: 3
httpGet:
@@ -103,8 +88,4 @@ spec:
path: ca.crt
- name: combined-certs
emptyDir: {}
- name: tf-signing-key
secret:
secretName: artifactapi-tf-signing
optional: true
restartPolicy: Always
+1 -1
View File
@@ -22,7 +22,7 @@ spec:
automountServiceAccountToken: true
containers:
- name: ui
image: git.unkin.net/unkin/artifactapi-ui:v3.7.3
image: git.unkin.net/unkin/artifactapi-ui:v3.6.5
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
+1 -1
View File
@@ -1,5 +1,5 @@
---
apiVersion: gateway.networking.k8s.io/v1
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: authentik-ldaps
-3
View File
@@ -9,9 +9,6 @@ resources:
- serviceaccount_terraform_artifactapi.yaml
- serviceaccount_terraform_authentik.yaml
- serviceaccount_terraform_git.yaml
- serviceaccount_terraform_prowlarr.yaml
- serviceaccount_terraform_radarr.yaml
- serviceaccount_terraform_sonarr.yaml
- serviceaccount_terraform_vault.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-prowlarr
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-radarr
namespace: woodpecker
@@ -1,6 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: terraform-sonarr
namespace: woodpecker