7f1444fb38
## Summary - Deploy Authentik (identity.unkin.net) via Helm chart 2026.5.3 - CNPG PostgreSQL cluster (3 instances) with separate rw/ro poolers (2 instances each) - Redis with 5Gi persistent storage - Gateway API for HTTPS (identity.unkin.net) and LDAPS (ldap.k8s.syd1.au.unkin.net, ldap.main.unkin.net) - TLSRoute for LDAPS passthrough, HTTPRoute for external-dns record creation - Vault secrets for postgres credentials, authentik secret key, and S3 storage credentials - S3 storage via RadosGW (bucket: authentik) - 3 server replicas, 2 worker replicas - Woodpecker ServiceAccount for terraform-authentik CI - Platform applicationset and project updated ## Dependencies - terraform-git #15 (merged) — repo definition - terraform-vault #78 (merged) — auth roles and Consul ACL ## Vault secrets needed before deploy Write to `kv/kubernetes/namespace/authentik/default/`: - `postgres-credentials`: username + password - `authentik-credentials`: AUTHENTIK_SECRET_KEY - `s3-credentials`: S3 access key + secret key Reviewed-on: #211 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
82 lines
2.6 KiB
YAML
82 lines
2.6 KiB
YAML
---
|
|
apiVersion: argoproj.io/v1alpha1
|
|
kind: AppProject
|
|
metadata:
|
|
name: platform
|
|
namespace: argocd
|
|
spec:
|
|
description: Platform infrastructure and core services
|
|
sourceRepos:
|
|
- https://git.unkin.net/unkin/argocd-apps
|
|
- https://artifactapi.k8s.syd1.au.unkin.net/api/v1/virtual/helm
|
|
- https://purelb.github.io/purelb/charts
|
|
- oci://gcr.io/k8s-staging-nfd/charts
|
|
- oci://ghcr.io/woodpecker-ci/helm/woodpecker
|
|
destinations:
|
|
- namespace: '*-system'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'artifactapi'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'age-api'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'authentik'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'cert-manager'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'certificates'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'consul'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'externaldns'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'jfrog'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'kanidm'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'node-feature-discovery'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'priority-classes'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'purelb'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'puppet'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'reposync'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'vault'
|
|
server: https://kubernetes.default.svc
|
|
- namespace: 'woodpecker'
|
|
server: https://kubernetes.default.svc
|
|
clusterResourceWhitelist:
|
|
- group: ''
|
|
kind: Namespace
|
|
- group: 'rbac.authorization.k8s.io'
|
|
kind: ClusterRole
|
|
- group: 'rbac.authorization.k8s.io'
|
|
kind: ClusterRoleBinding
|
|
- group: 'apiextensions.k8s.io'
|
|
kind: CustomResourceDefinition
|
|
- group: 'admissionregistration.k8s.io'
|
|
kind: MutatingWebhookConfiguration
|
|
- group: 'admissionregistration.k8s.io'
|
|
kind: ValidatingWebhookConfiguration
|
|
- group: 'scheduling.k8s.io'
|
|
kind: PriorityClass
|
|
- group: 'purelb.io'
|
|
kind: '*'
|
|
- group: 'nfd.k8s-sigs.io'
|
|
kind: NodeFeatureRule
|
|
- group: 'deviceplugin.intel.com'
|
|
kind: '*'
|
|
- group: 'cert-manager.io'
|
|
kind: Certificate
|
|
- group: 'cert-manager.io'
|
|
kind: Issuer
|
|
- group: 'gateway.networking.k8s.io'
|
|
kind: GatewayClass
|
|
- group: 'networking.k8s.io'
|
|
kind: IngressClass
|
|
namespaceResourceWhitelist:
|
|
- group: '*'
|
|
kind: '*'
|