From 373a602fbf069e2a9be18264e5a976ea620738df Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Tue, 9 Jul 2024 16:40:33 +0200 Subject: [PATCH 1/4] feat: adds authentik to the cluster --- .../authentik/app/externalsecret.yaml | 34 ++++++++++++ .../security/authentik/app/helmrelease.yaml | 54 +++++++++++++++++++ .../security/authentik/app/kustomization.yaml | 7 +++ kubernetes/apps/security/authentik/ks.yaml | 24 +++++++++ kubernetes/apps/security/kustomization.yaml | 1 + 5 files changed, 120 insertions(+) create mode 100644 kubernetes/apps/security/authentik/app/externalsecret.yaml create mode 100644 kubernetes/apps/security/authentik/app/helmrelease.yaml create mode 100644 kubernetes/apps/security/authentik/app/kustomization.yaml create mode 100644 kubernetes/apps/security/authentik/ks.yaml diff --git a/kubernetes/apps/security/authentik/app/externalsecret.yaml b/kubernetes/apps/security/authentik/app/externalsecret.yaml new file mode 100644 index 000000000..4d8f4d1b1 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/externalsecret.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/axeII/crds/main/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authentik +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + refreshInterval: 15m + target: + name: authentik-secret + creationPolicy: Owner + template: + engineVersion: v2 + data: + # Authentik + AUTHENTIK_BOOTSTRAP_EMAIL: '{{ .AUTHENTIK_EMAIL }}' + AUTHENTIK_BOOTSTRAP_PASSWORD: '{{ .AUTHENTIK_PASSWORD }}' + AUTHENTIK_BOOTSTRAP_TOKEN: '{{ .AUTHENTIK_TOKEN }}' + AUTHENTIK_SECRET_KEY: '{{ .AUTHENTIK_SECRET_KEY }}' + AUTHENTIK_REDIS__DB: "1" + AUTHENTIK_POSTGRESQL__NAME: '{{ .dbname }}' + AUTHENTIK_POSTGRESQL__HOST: '{{ .host }}' #pgBouncer is set to session for Grafana, and Authentik requires transaction + AUTHENTIK_POSTGRESQL__USER: '{{ .user }}' + AUTHENTIK_POSTGRESQL__PASSWORD: '{{ .password }}' + AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: 'false' + AUTHENTIK_POSTGRESQL__SSLMODE: 'require' + dataFrom: + - extract: + key: postgres-pguser-authentik + - extract: + key: authentik diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml new file mode 100644 index 000000000..a5a2bbcd3 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -0,0 +1,54 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: authentik +spec: + interval: 30m + chart: + spec: + chart: authentik + version: 2024.6.0 + sourceRef: + kind: HelmRepository + name: authentik-charts + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + global: + podAnnotations: + secret.reloader.stakater.com/reload: authentik-secret + deploymentStrategy: + type: RollingUpdate + envFrom: + - secretRef: + name: authentik-secret + authentik: + redis: + host: redis-master.database.svc.cluster.local + server: + autoscaling: + enabled: true + minReplicas: 1 + metrics: + prometheus: + serviceMonitor: + enabled: true + ingress: + enabled: true + ingressClassName: external + # annotations: + hosts: + - sso.${SECRET_DOMAIN} + https: false + worker: + autoscaling: + enabled: true + minReplicas: 1 diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml new file mode 100644 index 000000000..4eed917b9 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/security/authentik/ks.yaml b/kubernetes/apps/security/authentik/ks.yaml new file mode 100644 index 000000000..cdfcbbeaf --- /dev/null +++ b/kubernetes/apps/security/authentik/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://lds-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app authentik + namespace: flux-system +spec: + targetNamespace: security + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cluster-apps-external-database + - name: external-secrets-stores + path: ./kubernetes/main/apps/security/authentik/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false # no flux ks dependents + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/security/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml index 2cf386965..470442908 100644 --- a/kubernetes/apps/security/kustomization.yaml +++ b/kubernetes/apps/security/kustomization.yaml @@ -5,3 +5,4 @@ kind: Kustomization resources: - ./namespace.yaml - ./pastebin/ks.yaml + - ./authentik/ks.yaml From f94f6ab1e723270e2e25e58e7071006e1a5b4df2 Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Mon, 9 Sep 2024 00:05:43 +0200 Subject: [PATCH 2/4] hotfix: authentik path --- kubernetes/apps/security/authentik/ks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/ks.yaml b/kubernetes/apps/security/authentik/ks.yaml index cdfcbbeaf..cd37515eb 100644 --- a/kubernetes/apps/security/authentik/ks.yaml +++ b/kubernetes/apps/security/authentik/ks.yaml @@ -13,7 +13,7 @@ spec: dependsOn: - name: cluster-apps-external-database - name: external-secrets-stores - path: ./kubernetes/main/apps/security/authentik/app + path: ./kubernetes/apps/security/authentik/app prune: true sourceRef: kind: GitRepository From 415f4143e6049f7cdc578e442507cb94fa61648e Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Mon, 9 Sep 2024 00:14:11 +0200 Subject: [PATCH 3/4] refactor: update authentik repository URL --- kubernetes/flux/repositories/helm/authentik.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/flux/repositories/helm/authentik.yaml b/kubernetes/flux/repositories/helm/authentik.yaml index abc712dcf..54770c6a8 100644 --- a/kubernetes/flux/repositories/helm/authentik.yaml +++ b/kubernetes/flux/repositories/helm/authentik.yaml @@ -2,9 +2,9 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: - name: authentik + name: authentik-charts namespace: flux-system spec: interval: 1h - url: https://charts.goauthentik.io/ + url: https://charts.goauthentik.io timeout: 3m From c214a9689fcd74174a154a36bebd4c245ab51b63 Mon Sep 17 00:00:00 2001 From: Ales Lerch <13370338+axeII@users.noreply.github.com> Date: Tue, 29 Oct 2024 00:07:27 +0100 Subject: [PATCH 4/4] refactor: Update Redis host in helmrelease.yaml --- kubernetes/apps/security/authentik/app/helmrelease.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml index a5a2bbcd3..eaa58cb01 100644 --- a/kubernetes/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -32,7 +32,7 @@ spec: name: authentik-secret authentik: redis: - host: redis-master.database.svc.cluster.local + host: redis.database.svc.cluster.local server: autoscaling: enabled: true