7f1444fb38
## Summary - Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3 - CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each) - Redis with 5Gi persistent storage - Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net) - TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation - Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials - S3 storage via RadosGW (bucket: authentik) - 3 server replicas, 2 worker replicas - Woodpecker ServiceAccount for terraform-authentik CI - Platform applicationset and project updated ## Dependencies - terraform-git #15 (merged) — repo definition - terraform-vault #78 (merged) — auth roles and Consul ACL ## Vault secrets needed before deploy Write to `kv/kubernetes/namespace/authentik/default/`: - `postgres-credentials`: username + password - `authentik-credentials`: AUTHENTIK_SECRET_KEY - `s3-credentials`: S3 access key + secret key Reviewed-on: #211 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
19 lines
358 B
YAML
19 lines
358 B
YAML
---
|
|
apiVersion: secrets.hashicorp.com/v1beta1
|
|
kind: VaultAuth
|
|
metadata:
|
|
name: default
|
|
namespace: authentik
|
|
spec:
|
|
allowedNamespaces:
|
|
- authentik
|
|
kubernetes:
|
|
audiences:
|
|
- vault
|
|
role: default
|
|
serviceAccount: default
|
|
tokenExpirationSeconds: 600
|
|
method: kubernetes
|
|
mount: k8s/au/syd1
|
|
vaultConnectionRef: vso-system/default
|