Add Authentik identity provider deployment #211

Merged
benvin merged 1 commits from benvin/add-authentik into main 2026-06-28 17:42:50 +10:00
Owner

Summary

  • Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3
  • CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each)
  • Redis with 5Gi persistent storage
  • Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net)
  • TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation
  • Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials
  • S3 storage via RadosGW (bucket: authentik)
  • 3 server replicas, 2 worker replicas
  • Woodpecker ServiceAccount for terraform-authentik CI
  • Platform applicationset and project updated

Dependencies

  • terraform-git #15 (merged) — repo definition
  • terraform-vault #78 (merged) — auth roles and Consul ACL

Vault secrets needed before deploy

Write to kv/kubernetes/namespace/authentik/default/:

  • postgres-credentials: username + password
  • authentik-credentials: AUTHENTIK_SECRET_KEY
  • s3-credentials: S3 access key + secret key
## Summary - Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3 - CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each) - Redis with 5Gi persistent storage - Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net) - TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation - Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials - S3 storage via RadosGW (bucket: authentik) - 3 server replicas, 2 worker replicas - Woodpecker ServiceAccount for terraform-authentik CI - Platform applicationset and project updated ## Dependencies - terraform-git #15 (merged) — repo definition - terraform-vault #78 (merged) — auth roles and Consul ACL ## Vault secrets needed before deploy Write to `kv/kubernetes/namespace/authentik/default/`: - `postgres-credentials`: username + password - `authentik-credentials`: AUTHENTIK_SECRET_KEY - `s3-credentials`: S3 access key + secret key
unkinben force-pushed benvin/add-authentik from 71bd6ef6da to 0342456a3e 2026-06-28 12:41:07 +10:00 Compare
unkinben force-pushed benvin/add-authentik from 0342456a3e to 1c8f061b31 2026-06-28 15:14:51 +10:00 Compare
unkinben force-pushed benvin/add-authentik from 1c8f061b31 to 87d428eb5d 2026-06-28 15:15:30 +10:00 Compare
unkinben added 1 commit 2026-06-28 17:26:26 +10:00
Add Authentik identity provider deployment
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
85172b92cb
- Helm chart authentik 2026.5.3 with 3 server replicas, 2 worker replicas
- CNPG PostgreSQL cluster (3 instances) with rw and ro poolers (2 instances each)
- Redis with 5Gi persistent storage
- Gateway API: identity.unkin.net and identity.k8s.syd1.au.unkin.net (HTTPS)
- LDAPS via TLSRoute on ldap.k8s.syd1.au.unkin.net and ldap.main.unkin.net
- Multi-SAN TLS via cert-manager gateway integration
- S3 storage via RadosGW (bucket: authentik)
- Vault secrets: postgres-credentials, authentik-credentials, s3-credentials
- Woodpecker ServiceAccount for terraform-authentik CI
- Platform applicationset and project updated
unkinben force-pushed benvin/add-authentik from 87d428eb5d to 85172b92cb 2026-06-28 17:26:26 +10:00 Compare
benvin merged commit 7f1444fb38 into main 2026-06-28 17:42:50 +10:00
benvin deleted branch benvin/add-authentik 2026-06-28 17:42:50 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#211