home-ops
home-ops copied to clipboard
Published
20 hours ago •
axeII
axeII
feat: adds authentik to the cluster
trafficstars
Description of the change
Adds authentik for some external services
Benefits or applicable issues
better security
🦙 MegaLinter status: ✅ SUCCESS
| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|
See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff
MegaLinter is graciously provided by 
--- kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik
+++ kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik
@@ -1,14 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: authentik
- namespace: flux-system
-spec:
- interval: 1h
- timeout: 3m
- url: https://charts.goauthentik.io/
-
--- kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik-charts
+++ kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik-charts
@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik-charts
+ namespace: flux-system
+spec:
+ interval: 1h
+ timeout: 3m
+ url: https://charts.goauthentik.io
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/authentik
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/authentik
@@ -0,0 +1,37 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: cluster-apps-external-database
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/apps/security/authentik/app
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+ prune: true
+ retryInterval: 1m
+ sourceRef:
+ kind: GitRepository
+ name: home-kubernetes
+ targetNamespace: security
+ timeout: 5m
+ wait: false
+
--- kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik ExternalSecret: security/authentik
+++ kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik ExternalSecret: security/authentik
@@ -0,0 +1,38 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ kustomize.toolkit.fluxcd.io/name: authentik
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik
+ namespace: security
+spec:
+ dataFrom:
+ - extract:
+ key: postgres-pguser-authentik
+ - extract:
+ key: authentik
+ refreshInterval: 15m
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ creationPolicy: Owner
+ name: authentik-secret
+ template:
+ data:
+ AUTHENTIK_BOOTSTRAP_EMAIL: '{{ .AUTHENTIK_EMAIL }}'
+ AUTHENTIK_BOOTSTRAP_PASSWORD: '{{ .AUTHENTIK_PASSWORD }}'
+ AUTHENTIK_BOOTSTRAP_TOKEN: '{{ .AUTHENTIK_TOKEN }}'
+ AUTHENTIK_POSTGRESQL__HOST: '{{ .host }}'
+ AUTHENTIK_POSTGRESQL__NAME: '{{ .dbname }}'
+ AUTHENTIK_POSTGRESQL__PASSWORD: '{{ .password }}'
+ AUTHENTIK_POSTGRESQL__SSLMODE: require
+ AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: 'false'
+ AUTHENTIK_POSTGRESQL__USER: '{{ .user }}'
+ AUTHENTIK_REDIS__DB: '1'
+ AUTHENTIK_SECRET_KEY: '{{ .AUTHENTIK_SECRET_KEY }}'
+ engineVersion: v2
+
--- kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik HelmRelease: security/authentik
+++ kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik HelmRelease: security/authentik
@@ -0,0 +1,59 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ kustomize.toolkit.fluxcd.io/name: authentik
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik
+ namespace: security
+spec:
+ chart:
+ spec:
+ chart: authentik
+ sourceRef:
+ kind: HelmRepository
+ name: authentik-charts
+ namespace: flux-system
+ version: 2024.6.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ authentik:
+ redis:
+ host: redis-master.database.svc.cluster.local
+ global:
+ deploymentStrategy:
+ type: RollingUpdate
+ envFrom:
+ - secretRef:
+ name: authentik-secret
+ podAnnotations:
+ secret.reloader.stakater.com/reload: authentik-secret
+ server:
+ autoscaling:
+ enabled: true
+ minReplicas: 1
+ ingress:
+ enabled: true
+ hosts:
+ - sso...PLACEHOLDER..
+ https: false
+ ingressClassName: external
+ metrics:
+ prometheus:
+ serviceMonitor:
+ enabled: true
+ worker:
+ autoscaling:
+ enabled: true
+ minReplicas: 1
+
![bot-akira[bot] avatar](https://avatars.githubusercontent.com/in/825512?v=4 "Published by a pub.dev verified publisher"){kind=small}
--- HelmRelease: security/authentik ServiceAccount: security/authentik
+++ HelmRelease: security/authentik ServiceAccount: security/authentik
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: authentik
+ namespace: security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+
--- HelmRelease: security/authentik ClusterRole: security/authentik-security
+++ HelmRelease: security/authentik ClusterRole: security/authentik-security
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: authentik-security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+
--- HelmRelease: security/authentik ClusterRoleBinding: security/authentik-security
+++ HelmRelease: security/authentik ClusterRoleBinding: security/authentik-security
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: authentik-security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: authentik-security
+subjects:
+- kind: ServiceAccount
+ name: authentik
+ namespace: security
+
--- HelmRelease: security/authentik Role: security/authentik
+++ HelmRelease: security/authentik Role: security/authentik
@@ -0,0 +1,74 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: authentik
+ namespace: security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ - services
+ - configmaps
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - extensions
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - extensions
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - traefik.containo.us
+ - traefik.io
+ resources:
+ - middlewares
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - servicemonitors
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+
--- HelmRelease: security/authentik RoleBinding: security/authentik
+++ HelmRelease: security/authentik RoleBinding: security/authentik
@@ -0,0 +1,20 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: authentik
+ namespace: security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: authentik
+subjects:
+- kind: ServiceAccount
+ name: authentik
+ namespace: security
+
--- HelmRelease: security/authentik Service: security/authentik-server
+++ HelmRelease: security/authentik Service: security/authentik-server
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ type: ClusterIP
+ ports:
+ - name: http
+ protocol: TCP
+ port: 80
+ targetPort: 9000
+ - name: https
+ protocol: TCP
+ port: 443
+ targetPort: 9443
+ selector:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+
--- HelmRelease: security/authentik Deployment: security/authentik-server
+++ HelmRelease: security/authentik Deployment: security/authentik-server
@@ -0,0 +1,103 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ strategy:
+ type: RollingUpdate
+ revisionHistoryLimit: 3
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+ annotations:
+ checksum/secret: fc1d7bb0ce10f03f2d0799b48bc406b696360d40c3cc80b7956cebe3c7b5bb29
+ secret.reloader.stakater.com/reload: authentik-secret
+ spec:
+ terminationGracePeriodSeconds: 30
+ containers:
+ - name: server
+ image: ghcr.io/goauthentik/server:2024.6.0
+ imagePullPolicy: IfNotPresent
+ args:
+ - server
+ env:
+ - name: AUTHENTIK_LISTEN__HTTP
+ value: 0.0.0.0:9000
+ - name: AUTHENTIK_LISTEN__HTTPS
+ value: 0.0.0.0:9443
+ - name: AUTHENTIK_LISTEN__METRICS
+ value: 0.0.0.0:9300
+ envFrom:
+ - secretRef:
+ name: authentik
+ - secretRef:
+ name: authentik-secret
+ ports:
+ - name: http
+ containerPort: 9000
+ protocol: TCP
+ - name: https
+ containerPort: 9443
+ protocol: TCP
+ - name: metrics
+ containerPort: 9300
+ protocol: TCP
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /-/health/live/
+ port: http
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /-/health/ready/
+ port: http
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ failureThreshold: 60
+ httpGet:
+ path: /-/health/live/
+ port: http
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources: {}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ topologyKey: kubernetes.io/hostname
+ enableServiceLinks: true
+
--- HelmRelease: security/authentik Deployment: security/authentik-worker
+++ HelmRelease: security/authentik Deployment: security/authentik-worker
@@ -0,0 +1,91 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: authentik-worker
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ strategy:
+ type: RollingUpdate
+ revisionHistoryLimit: 3
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+ annotations:
+ checksum/secret: fc1d7bb0ce10f03f2d0799b48bc406b696360d40c3cc80b7956cebe3c7b5bb29
+ secret.reloader.stakater.com/reload: authentik-secret
+ spec:
+ serviceAccountName: authentik
+ terminationGracePeriodSeconds: 30
+ containers:
+ - name: worker
+ image: ghcr.io/goauthentik/server:2024.6.0
+ imagePullPolicy: IfNotPresent
+ args:
+ - worker
+ env: null
+ envFrom:
+ - secretRef:
+ name: authentik
+ - secretRef:
+ name: authentik-secret
+ livenessProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
+ failureThreshold: 3
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
+ failureThreshold: 3
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
+ failureThreshold: 60
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources: {}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ topologyKey: kubernetes.io/hostname
+ enableServiceLinks: true
+
--- HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-server
+++ HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-server
@@ -0,0 +1,27 @@
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: authentik-server
+ minReplicas: 1
+ maxReplicas: 5
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 50
+
--- HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-worker
+++ HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-worker
@@ -0,0 +1,27 @@
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: authentik-worker
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: authentik-worker
+ minReplicas: 1
+ maxReplicas: 5
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 50
+
--- HelmRelease: security/authentik Ingress: security/authentik-server
+++ HelmRelease: security/authentik Ingress: security/authentik-server
@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ ingressClassName: external
+ rules:
+ - host: sso...PLACEHOLDER..
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: authentik-server
+ port:
+ number: 80
+
--- kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik
+++ kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik
@@ -1,14 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: cluster
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: authentik
- namespace: flux-system
-spec:
- interval: 1h
- timeout: 3m
- url: https://charts.goauthentik.io/
-
--- kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik-charts
+++ kubernetes/flux Kustomization: flux-system/cluster HelmRepository: flux-system/authentik-charts
@@ -0,0 +1,14 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik-charts
+ namespace: flux-system
+spec:
+ interval: 1h
+ timeout: 3m
+ url: https://charts.goauthentik.io
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/authentik
+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/authentik
@@ -0,0 +1,37 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: cluster-apps
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik
+ namespace: flux-system
+spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ decryption:
+ provider: sops
+ secretRef:
+ name: sops-age
+ dependsOn:
+ - name: cluster-apps-external-database
+ - name: external-secrets-stores
+ interval: 30m
+ path: ./kubernetes/apps/security/authentik/app
+ postBuild:
+ substituteFrom:
+ - kind: ConfigMap
+ name: cluster-settings
+ - kind: Secret
+ name: cluster-secrets
+ prune: true
+ retryInterval: 1m
+ sourceRef:
+ kind: GitRepository
+ name: home-kubernetes
+ targetNamespace: security
+ timeout: 5m
+ wait: false
+
--- kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik ExternalSecret: security/authentik
+++ kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik ExternalSecret: security/authentik
@@ -0,0 +1,38 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ kustomize.toolkit.fluxcd.io/name: authentik
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik
+ namespace: security
+spec:
+ dataFrom:
+ - extract:
+ key: postgres-pguser-authentik
+ - extract:
+ key: authentik
+ refreshInterval: 15m
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: onepassword-connect
+ target:
+ creationPolicy: Owner
+ name: authentik-secret
+ template:
+ data:
+ AUTHENTIK_BOOTSTRAP_EMAIL: '{{ .AUTHENTIK_EMAIL }}'
+ AUTHENTIK_BOOTSTRAP_PASSWORD: '{{ .AUTHENTIK_PASSWORD }}'
+ AUTHENTIK_BOOTSTRAP_TOKEN: '{{ .AUTHENTIK_TOKEN }}'
+ AUTHENTIK_POSTGRESQL__HOST: '{{ .host }}'
+ AUTHENTIK_POSTGRESQL__NAME: '{{ .dbname }}'
+ AUTHENTIK_POSTGRESQL__PASSWORD: '{{ .password }}'
+ AUTHENTIK_POSTGRESQL__SSLMODE: require
+ AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: 'false'
+ AUTHENTIK_POSTGRESQL__USER: '{{ .user }}'
+ AUTHENTIK_REDIS__DB: '1'
+ AUTHENTIK_SECRET_KEY: '{{ .AUTHENTIK_SECRET_KEY }}'
+ engineVersion: v2
+
--- kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik HelmRelease: security/authentik
+++ kubernetes/apps/security/authentik/app Kustomization: flux-system/authentik HelmRelease: security/authentik
@@ -0,0 +1,59 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ kustomize.toolkit.fluxcd.io/name: authentik
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: authentik
+ namespace: security
+spec:
+ chart:
+ spec:
+ chart: authentik
+ sourceRef:
+ kind: HelmRepository
+ name: authentik-charts
+ namespace: flux-system
+ version: 2024.6.0
+ install:
+ remediation:
+ retries: 3
+ interval: 30m
+ upgrade:
+ cleanupOnFail: true
+ remediation:
+ retries: 3
+ strategy: rollback
+ values:
+ authentik:
+ redis:
+ host: redis-master.database.svc.cluster.local
+ global:
+ deploymentStrategy:
+ type: RollingUpdate
+ envFrom:
+ - secretRef:
+ name: authentik-secret
+ podAnnotations:
+ secret.reloader.stakater.com/reload: authentik-secret
+ server:
+ autoscaling:
+ enabled: true
+ minReplicas: 1
+ ingress:
+ enabled: true
+ hosts:
+ - sso...PLACEHOLDER..
+ https: false
+ ingressClassName: external
+ metrics:
+ prometheus:
+ serviceMonitor:
+ enabled: true
+ worker:
+ autoscaling:
+ enabled: true
+ minReplicas: 1
+
--- HelmRelease: security/authentik ServiceAccount: security/authentik
+++ HelmRelease: security/authentik ServiceAccount: security/authentik
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: authentik
+ namespace: security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+
--- HelmRelease: security/authentik ClusterRole: security/authentik-security
+++ HelmRelease: security/authentik ClusterRole: security/authentik-security
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: authentik-security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+rules:
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+
--- HelmRelease: security/authentik ClusterRoleBinding: security/authentik-security
+++ HelmRelease: security/authentik ClusterRoleBinding: security/authentik-security
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: authentik-security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: authentik-security
+subjects:
+- kind: ServiceAccount
+ name: authentik
+ namespace: security
+
--- HelmRelease: security/authentik Role: security/authentik
+++ HelmRelease: security/authentik Role: security/authentik
@@ -0,0 +1,74 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: authentik
+ namespace: security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ - services
+ - configmaps
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - extensions
+ - apps
+ resources:
+ - deployments
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - extensions
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - traefik.containo.us
+ - traefik.io
+ resources:
+ - middlewares
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - monitoring.coreos.com
+ resources:
+ - servicemonitors
+ verbs:
+ - get
+ - create
+ - delete
+ - list
+ - patch
+- apiGroups:
+ - apiextensions.k8s.io
+ resources:
+ - customresourcedefinitions
+ verbs:
+ - list
+
--- HelmRelease: security/authentik RoleBinding: security/authentik
+++ HelmRelease: security/authentik RoleBinding: security/authentik
@@ -0,0 +1,20 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: authentik
+ namespace: security
+ labels:
+ app.kubernetes.io/name: serviceAccount
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: authentik
+subjects:
+- kind: ServiceAccount
+ name: authentik
+ namespace: security
+
--- HelmRelease: security/authentik Service: security/authentik-server
+++ HelmRelease: security/authentik Service: security/authentik-server
@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ type: ClusterIP
+ ports:
+ - name: http
+ protocol: TCP
+ port: 80
+ targetPort: 9000
+ - name: https
+ protocol: TCP
+ port: 443
+ targetPort: 9443
+ selector:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+
--- HelmRelease: security/authentik Deployment: security/authentik-server
+++ HelmRelease: security/authentik Deployment: security/authentik-server
@@ -0,0 +1,103 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ strategy:
+ type: RollingUpdate
+ revisionHistoryLimit: 3
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+ annotations:
+ checksum/secret: fc1d7bb0ce10f03f2d0799b48bc406b696360d40c3cc80b7956cebe3c7b5bb29
+ secret.reloader.stakater.com/reload: authentik-secret
+ spec:
+ terminationGracePeriodSeconds: 30
+ containers:
+ - name: server
+ image: ghcr.io/goauthentik/server:2024.6.0
+ imagePullPolicy: IfNotPresent
+ args:
+ - server
+ env:
+ - name: AUTHENTIK_LISTEN__HTTP
+ value: 0.0.0.0:9000
+ - name: AUTHENTIK_LISTEN__HTTPS
+ value: 0.0.0.0:9443
+ - name: AUTHENTIK_LISTEN__METRICS
+ value: 0.0.0.0:9300
+ envFrom:
+ - secretRef:
+ name: authentik
+ - secretRef:
+ name: authentik-secret
+ ports:
+ - name: http
+ containerPort: 9000
+ protocol: TCP
+ - name: https
+ containerPort: 9443
+ protocol: TCP
+ - name: metrics
+ containerPort: 9300
+ protocol: TCP
+ livenessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /-/health/live/
+ port: http
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ httpGet:
+ path: /-/health/ready/
+ port: http
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ failureThreshold: 60
+ httpGet:
+ path: /-/health/live/
+ port: http
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources: {}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ topologyKey: kubernetes.io/hostname
+ enableServiceLinks: true
+
--- HelmRelease: security/authentik Deployment: security/authentik-worker
+++ HelmRelease: security/authentik Deployment: security/authentik-worker
@@ -0,0 +1,91 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: authentik-worker
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ strategy:
+ type: RollingUpdate
+ revisionHistoryLimit: 3
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+ annotations:
+ checksum/secret: fc1d7bb0ce10f03f2d0799b48bc406b696360d40c3cc80b7956cebe3c7b5bb29
+ secret.reloader.stakater.com/reload: authentik-secret
+ spec:
+ serviceAccountName: authentik
+ terminationGracePeriodSeconds: 30
+ containers:
+ - name: worker
+ image: ghcr.io/goauthentik/server:2024.6.0
+ imagePullPolicy: IfNotPresent
+ args:
+ - worker
+ env: null
+ envFrom:
+ - secretRef:
+ name: authentik
+ - secretRef:
+ name: authentik-secret
+ livenessProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
+ failureThreshold: 3
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
+ failureThreshold: 3
+ initialDelaySeconds: 5
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ startupProbe:
+ exec:
+ command:
+ - ak
+ - healthcheck
+ failureThreshold: 60
+ initialDelaySeconds: 30
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources: {}
+ affinity:
+ podAntiAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ topologyKey: kubernetes.io/hostname
+ enableServiceLinks: true
+
--- HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-server
+++ HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-server
@@ -0,0 +1,27 @@
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: authentik-server
+ minReplicas: 1
+ maxReplicas: 5
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 50
+
--- HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-worker
+++ HelmRelease: security/authentik HorizontalPodAutoscaler: security/authentik-worker
@@ -0,0 +1,27 @@
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+ name: authentik-worker
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: worker
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ scaleTargetRef:
+ apiVersion: apps/v1
+ kind: Deployment
+ name: authentik-worker
+ minReplicas: 1
+ maxReplicas: 5
+ metrics:
+ - type: Resource
+ resource:
+ name: cpu
+ target:
+ type: Utilization
+ averageUtilization: 50
+
--- HelmRelease: security/authentik Ingress: security/authentik-server
+++ HelmRelease: security/authentik Ingress: security/authentik-server
@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: authentik-server
+ namespace: security
+ labels:
+ app.kubernetes.io/name: authentik
+ app.kubernetes.io/instance: authentik
+ app.kubernetes.io/component: server
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: authentik
+spec:
+ ingressClassName: external
+ rules:
+ - host: sso...PLACEHOLDER..
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: authentik-server
+ port:
+ number: 80
+