7f1444fb38
## Summary - Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3 - CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each) - Redis with 5Gi persistent storage - Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net) - TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation - Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials - S3 storage via RadosGW (bucket: authentik) - 3 server replicas, 2 worker replicas - Woodpecker ServiceAccount for terraform-authentik CI - Platform applicationset and project updated ## Dependencies - terraform-git #15 (merged) — repo definition - terraform-vault #78 (merged) — auth roles and Consul ACL ## Vault secrets needed before deploy Write to `kv/kubernetes/namespace/authentik/default/`: - `postgres-credentials`: username + password - `authentik-credentials`: AUTHENTIK_SECRET_KEY - `s3-credentials`: S3 access key + secret key Reviewed-on: #211 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
92 lines
2.2 KiB
YAML
92 lines
2.2 KiB
YAML
---
|
|
apiVersion: postgresql.cnpg.io/v1
|
|
kind: Cluster
|
|
metadata:
|
|
name: postgres
|
|
namespace: authentik
|
|
spec:
|
|
affinity:
|
|
podAntiAffinityType: preferred
|
|
bootstrap:
|
|
initdb:
|
|
database: authentik
|
|
encoding: UTF8
|
|
localeCType: C
|
|
localeCollate: C
|
|
owner: authentik
|
|
secret:
|
|
name: postgres-credentials
|
|
enablePDB: true
|
|
enableSuperuserAccess: false
|
|
failoverDelay: 0
|
|
imageName: ghcr.io/cloudnative-pg/postgresql:18.1-system-trixie
|
|
instances: 3
|
|
logLevel: info
|
|
maxSyncReplicas: 0
|
|
minSyncReplicas: 0
|
|
monitoring:
|
|
customQueriesConfigMap:
|
|
- key: queries
|
|
name: cnpg-default-monitoring
|
|
disableDefaultQueries: false
|
|
enablePodMonitor: false
|
|
postgresql:
|
|
parameters:
|
|
archive_mode: "on"
|
|
archive_timeout: 5min
|
|
dynamic_shared_memory_type: posix
|
|
effective_cache_size: 256MB
|
|
full_page_writes: "on"
|
|
log_destination: csvlog
|
|
log_directory: /controller/log
|
|
log_filename: postgres
|
|
log_rotation_age: "0"
|
|
log_rotation_size: "0"
|
|
log_truncate_on_rotation: "false"
|
|
logging_collector: "on"
|
|
max_connections: "200"
|
|
max_parallel_workers: "16"
|
|
max_replication_slots: "16"
|
|
max_worker_processes: "16"
|
|
shared_buffers: 128MB
|
|
shared_memory_type: mmap
|
|
ssl_max_protocol_version: TLSv1.3
|
|
ssl_min_protocol_version: TLSv1.3
|
|
wal_keep_size: 256MB
|
|
wal_level: logical
|
|
wal_log_hints: "on"
|
|
wal_receiver_timeout: 5s
|
|
wal_sender_timeout: 5s
|
|
syncReplicaElectionConstraint:
|
|
enabled: false
|
|
primaryUpdateMethod: restart
|
|
primaryUpdateStrategy: unsupervised
|
|
probes:
|
|
liveness:
|
|
isolationCheck:
|
|
connectionTimeout: 1000
|
|
enabled: true
|
|
requestTimeout: 1000
|
|
replicationSlots:
|
|
highAvailability:
|
|
enabled: true
|
|
slotPrefix: _cnpg_
|
|
synchronizeReplicas:
|
|
enabled: true
|
|
updateInterval: 30
|
|
resources:
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 256Mi
|
|
smartShutdownTimeout: 180
|
|
startDelay: 3600
|
|
stopDelay: 1800
|
|
storage:
|
|
resizeInUseVolumes: true
|
|
size: 20Gi
|
|
storageClass: cephrbd-fast-delete
|
|
switchoverDelay: 3600
|