7f1444fb38
## Summary - Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3 - CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each) - Redis with 5Gi persistent storage - Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net) - TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation - Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials - S3 storage via RadosGW (bucket: authentik) - 3 server replicas, 2 worker replicas - Woodpecker ServiceAccount for terraform-authentik CI - Platform applicationset and project updated ## Dependencies - terraform-git #15 (merged) — repo definition - terraform-vault #78 (merged) — auth roles and Consul ACL ## Vault secrets needed before deploy Write to `kv/kubernetes/namespace/authentik/default/`: - `postgres-credentials`: username + password - `authentik-credentials`: AUTHENTIK_SECRET_KEY - `s3-credentials`: S3 access key + secret key Reviewed-on: #211 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
106 lines
2.7 KiB
YAML
106 lines
2.7 KiB
YAML
global:
|
|
env:
|
|
# PostgreSQL primary (via pooler)
|
|
- name: AUTHENTIK_POSTGRESQL__HOST
|
|
value: postgres-pooler-rw
|
|
- name: AUTHENTIK_POSTGRESQL__PORT
|
|
value: "5432"
|
|
- name: AUTHENTIK_POSTGRESQL__NAME
|
|
value: authentik
|
|
- name: AUTHENTIK_POSTGRESQL__USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: username
|
|
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: password
|
|
# PostgreSQL read replica (via pooler)
|
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__HOST
|
|
value: postgres-pooler-ro
|
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PORT
|
|
value: "5432"
|
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__NAME
|
|
value: authentik
|
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: username
|
|
- name: AUTHENTIK_POSTGRESQL__READ_REPLICAS__0__PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: postgres-credentials
|
|
key: password
|
|
# PostgreSQL pooler settings
|
|
- name: AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS
|
|
value: "true"
|
|
- name: AUTHENTIK_POSTGRESQL__CONN_MAX_AGE
|
|
value: "0"
|
|
- name: AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS
|
|
value: "true"
|
|
# Redis
|
|
- name: AUTHENTIK_REDIS__HOST
|
|
value: redis
|
|
- name: AUTHENTIK_REDIS__PORT
|
|
value: "6379"
|
|
# S3 storage
|
|
- name: AUTHENTIK_STORAGE__BACKEND
|
|
value: s3
|
|
- name: AUTHENTIK_STORAGE__S3__ENDPOINT
|
|
value: https://radosgw.service.consul/
|
|
- name: AUTHENTIK_STORAGE__S3__BUCKET_NAME
|
|
value: authentik
|
|
- name: AUTHENTIK_STORAGE__S3__ADDRESSING_STYLE
|
|
value: path
|
|
- name: AUTHENTIK_STORAGE__S3__ACCESS_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: s3-credentials
|
|
key: AUTHENTIK_STORAGE__S3__ACCESS_KEY
|
|
- name: AUTHENTIK_STORAGE__S3__SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: s3-credentials
|
|
key: AUTHENTIK_STORAGE__S3__SECRET_KEY
|
|
# Secret key
|
|
- name: AUTHENTIK_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-credentials
|
|
key: AUTHENTIK_SECRET_KEY
|
|
|
|
server:
|
|
replicas: 3
|
|
annotations:
|
|
reloader.stakater.com/auto: "true"
|
|
ingress:
|
|
enabled: false
|
|
resources:
|
|
limits:
|
|
cpu: "2"
|
|
memory: 2Gi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 512Mi
|
|
|
|
worker:
|
|
replicas: 2
|
|
annotations:
|
|
reloader.stakater.com/auto: "true"
|
|
resources:
|
|
limits:
|
|
cpu: "2"
|
|
memory: 2Gi
|
|
requests:
|
|
cpu: 250m
|
|
memory: 512Mi
|
|
|
|
postgresql:
|
|
enabled: false
|
|
|
|
redis:
|
|
enabled: false
|