Files
argocd-apps/argocd/projects/platform.yaml
T
unkinben 7f1444fb38 Add Authentik identity provider deployment (#211)
## Summary
- Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3
- CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each)
- Redis with 5Gi persistent storage
- Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net)
- TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation
- Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials
- S3 storage via RadosGW (bucket: authentik)
- 3 server replicas, 2 worker replicas
- Woodpecker ServiceAccount for terraform-authentik CI
- Platform applicationset and project updated

## Dependencies
- terraform-git #15 (merged) — repo definition
- terraform-vault #78 (merged) — auth roles and Consul ACL

## Vault secrets needed before deploy
Write to `kv/kubernetes/namespace/authentik/default/`:
- `postgres-credentials`: username + password
- `authentik-credentials`: AUTHENTIK_SECRET_KEY
- `s3-credentials`: S3 access key + secret key

Reviewed-on: #211
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-28 17:42:49 +10:00

82 lines
2.6 KiB
YAML

---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: platform
namespace: argocd
spec:
description: Platform infrastructure and core services
sourceRepos:
- https://git.unkin.net/unkin/argocd-apps
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
- https://purelb.github.io/purelb/charts
- oci://gcr.io/k8s-staging-nfd/charts
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
destinations:
- namespace: '*-system'
server: https://kubernetes.default.svc
- namespace: 'artifactapi'
server: https://kubernetes.default.svc
- namespace: 'age-api'
server: https://kubernetes.default.svc
- namespace: 'authentik'
server: https://kubernetes.default.svc
- namespace: 'cert-manager'
server: https://kubernetes.default.svc
- namespace: 'certificates'
server: https://kubernetes.default.svc
- namespace: 'consul'
server: https://kubernetes.default.svc
- namespace: 'externaldns'
server: https://kubernetes.default.svc
- namespace: 'jfrog'
server: https://kubernetes.default.svc
- namespace: 'kanidm'
server: https://kubernetes.default.svc
- namespace: 'node-feature-discovery'
server: https://kubernetes.default.svc
- namespace: 'priority-classes'
server: https://kubernetes.default.svc
- namespace: 'purelb'
server: https://kubernetes.default.svc
- namespace: 'puppet'
server: https://kubernetes.default.svc
- namespace: 'reposync'
server: https://kubernetes.default.svc
- namespace: 'vault'
server: https://kubernetes.default.svc
- namespace: 'woodpecker'
server: https://kubernetes.default.svc
clusterResourceWhitelist:
- group: ''
kind: Namespace
- group: 'rbac.authorization.k8s.io'
kind: ClusterRole
- group: 'rbac.authorization.k8s.io'
kind: ClusterRoleBinding
- group: 'apiextensions.k8s.io'
kind: CustomResourceDefinition
- group: 'admissionregistration.k8s.io'
kind: MutatingWebhookConfiguration
- group: 'admissionregistration.k8s.io'
kind: ValidatingWebhookConfiguration
- group: 'scheduling.k8s.io'
kind: PriorityClass
- group: 'purelb.io'
kind: '*'
- group: 'nfd.k8s-sigs.io'
kind: NodeFeatureRule
- group: 'deviceplugin.intel.com'
kind: '*'
- group: 'cert-manager.io'
kind: Certificate
- group: 'cert-manager.io'
kind: Issuer
- group: 'gateway.networking.k8s.io'
kind: GatewayClass
- group: 'networking.k8s.io'
kind: IngressClass
namespaceResourceWhitelist:
- group: '*'
kind: '*'