feat(identity): install authentik

Updates #168
martinohmann · Dec 30, 2023 · 1f48cf3 · 1f48cf3
1 parent a52ccb8
commit 1f48cf3
Show file tree

Hide file tree

Showing 10 changed files with 257 additions and 2 deletions.
diff --git a/kubernetes/apps/identity/authentik/app/helmrelease.yaml b/kubernetes/apps/identity/authentik/app/helmrelease.yaml
@@ -0,0 +1,148 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: authentik
+spec:
+  chart:
+    spec:
+      chart: authentik
+      version: 2023.10.5
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  interval: 30m
+  values:
+    controller:
+      annotations:
+        secret.reloader.stakater.com/reload: &secret authentik-secret
+    initContainers:
+      init-db:
+        image: ghcr.io/onedr0p/postgres-init:16.1
+        envFrom:
+          - secretRef:
+              name: &secret authentik-secret
+    replicas: 2
+    worker:
+      replicas: 2
+    authentik:
+      email:
+        use_ssl: true
+      log_level: debug
+      error_reporting:
+        enabled: false
+    ingress:
+      enabled: true
+      ingressClassName: internal
+      annotations:
+        hajimari.io/group: identity
+        hajimari.io/icon: simple-icons:authelia
+      hosts:
+        - host: &host identity.18b.haus
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+    prometheus:
+      serviceMonitor:
+        create: true
+      rules:
+        create: true
+    resources:
+      server:
+        requests:
+          cpu: 50m
+          memory: 200Mi
+        limits:
+          memory: 800Mi
+      worker:
+        requests:
+          cpu: 50m
+          memory: 200Mi
+        limits:
+          memory: 800Mi
+    redis:
+      enabled: true
+      auth:
+        enabled: true
+      master:
+        persistence:
+          enabled: true
+          storageClass: longhorn
+          size: 1Gi
+        resources:
+          requests:
+            cpu: 15m
+            memory: 50Mi
+          limits:
+            memory: 100Mi
+      commonConfiguration: |-
+        # Enable AOF https://redis.io/topics/persistence#append-only-file
+        appendonly yes
+        # Disable RDB persistence, AOF persistence already enabled.
+        save ""
+        maxmemory 94371840
+        maxmemory-policy allkeys-lru
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
+          limits:
+            memory: 20Mi
+  valuesFrom:
+    - kind: Secret
+      name: *secret
+      valuesKey: SECRET_KEY
+      targetPath: authentik.secret_key
+    - kind: Secret
+      name: *secret
+      valuesKey: SMTP_HOST
+      targetPath: authentik.email.host
+    - kind: Secret
+      name: *secret
+      valuesKey: SMTP_PORT
+      targetPath: authentik.email.port
+    - kind: Secret
+      name: *secret
+      valuesKey: SMTP_SENDER
+      targetPath: authentik.email.from
+    - kind: Secret
+      name: *secret
+      valuesKey: SMTP_USERNAME
+      targetPath: authentik.email.username
+    - kind: Secret
+      name: *secret
+      valuesKey: SMTP_PASSWORD
+      targetPath: authentik.email.password
+    - kind: Secret
+      name: *secret
+      valuesKey: REDIS_PASSWORD
+      targetPath: authentik.redis.password
+    - kind: Secret
+      name: *secret
+      valuesKey: REDIS_PASSWORD
+      targetPath: redis.auth.password
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_HOST
+      targetPath: authentik.postgresql.host
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_USER
+      targetPath: authentik.postgresql.user
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_PASS
+      targetPath: authentik.postgresql.password
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_DBNAME
+      targetPath: authentik.postgresql.name
diff --git a/kubernetes/apps/identity/authentik/app/kustomization.yaml b/kubernetes/apps/identity/authentik/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/identity/authentik/app/secret-db.yaml b/kubernetes/apps/identity/authentik/app/secret-db.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-db
+stringData:
+  INIT_POSTGRES_DBNAME: authentik
+  INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
+  INIT_POSTGRES_PASS: "${SECRET_AUTHENTIK_POSTGRES_PASSWORD}"
+  INIT_POSTGRES_SUPER_PASS: "${SECRET_POSTGRES_SUPER_PASSWORD}"
+  INIT_POSTGRES_USER: "${SECRET_AUTHENTIK_POSTGRES_USER}"
diff --git a/kubernetes/apps/identity/authentik/app/secret.sops.yaml b/kubernetes/apps/identity/authentik/app/secret.sops.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authentik-secret
+stringData:
+    REDIS_PASSWORD: ENC[AES256_GCM,data:v8qXmmu8xkw+ocj4Wa3hZbrWhhZS4eoY,iv:rzRLZJZBlHF2bspvI1hsd3vO54I4YySi/SELHXHEgDA=,tag:OhAYThd84tTZIG7UzsKxNQ==,type:str]
+    SECRET_KEY: ENC[AES256_GCM,data:9b9bhQYAFE6bUvQCW4jZzQFvwOWNStQFGIM2909C31dEiSnphrYZYC6+kkZU82U+j7Rmz/3+oll8n34i6thmeNtY3vMQCClRvA4yZHZbUGFgkPD4vxaTu4Jbzyc+ZDOOhrnMRoYgFypvMRP8Eye+Qo0Kj6YY91LfAyR62fVeR8A=,iv:JQRQpZup7hidSC7wVvQeJG/rfLgQ5Y/ySHZmOxDuRWs=,tag:Niit9l/FdysIs5Fh4AxLHg==,type:str]
+    SMTP_HOST: ENC[AES256_GCM,data:d3UqMIuGCZDDSON4UaQ=,iv:ToVcubmac0+RoZUHJsZ9ZWpTwEuy4XDzJI66O4ckPHg=,tag:0WQh+GsAP/xdShqv6F/TLw==,type:str]
+    SMTP_PORT: ENC[AES256_GCM,data:T/xR,iv:O+1G7Ug7bacSq/eYQ3Qex2p4Ga153DLID769P6zqBPU=,tag:RNZB0B4VXdaEVfrPt+JrkA==,type:str]
+    #ENC[AES256_GCM,data:vtX42+5WJiLTdZC9bckirbtgPsUz9406jZfgbRRmVkiuRWVoqQsd3SZgY9xwW++B,iv:T68EhSX/79Nx3EhcUxjVds2sZmU11ioprc9U/NrhNZY=,tag:i8R5ZpkOhtN+zoJFF3zvsQ==,type:comment]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:5HXkgRJFo7GqBzmN+3Qnzw==,iv:sibIR8GSj6GnQFGLyP1lpUxXHhGK4gwnoyGa1EA1SDg=,tag:Z8KTxCq+oNrXECYs9YfgPw==,type:str]
+    SMTP_SENDER: ENC[AES256_GCM,data:ckwG+hxbb/EuKQqN4j+XSO7XxG7HdUBeUH0mVw3o,iv:mGtsmkPLulzEZAbTGQYf9ldvm/8Qu5WPnj2eZO7Gq1I=,tag:SsVMKUNX1WMP0mBh9J5low==,type:str]
+    SMTP_USERNAME: ENC[AES256_GCM,data:UaT+u//esb6mFLKZDaGq3zSujrl9vg==,iv:XRb361ZiVoddlmu/N+ZVxPZfcgoh1ny5Au7qY1YQd6s=,tag:01XtuDIGfrI48ZsKvB8nGQ==,type:str]
+    INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:FtR0KGwI6j2w,iv:a/ai+edBS4bKLT+OG637SB5GHddy6X7kF6jfQQ+MGEQ=,tag:WB6aHWKjx0ISz2g5W36y/g==,type:str]
+    INIT_POSTGRES_HOST: ENC[AES256_GCM,data:rJ9zKM+9PYyohR4Y6pDuW2AvhVp0jgMm4BwWp78AzXEnG1ByUcvFCQ==,iv:awltq5HnqZo7MSxbFEIOsuOeajIU5BWPrtBRIsF/HNc=,tag:JtSn8xmAVEQk0VkbIwcHBw==,type:str]
+    INIT_POSTGRES_PASS: ENC[AES256_GCM,data:tWakxYKffqp4rUavBL7CLDx96EEH22gv8VK4PCV8FXXZQSckQA==,iv:AtAI5Arx0M3bmWAzCH2sMzaUpWNqJvIN2X+7q6VM++I=,tag:NRsTL3ndXg3pNvvB5yVIqQ==,type:str]
+    INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:VcGOw+GfWp3UUvO6368Yt5y56D+JmYb7GAVDpvfQAX2t,iv:02KCwA46nzX8rq3A6Wci8KotAZjr9nnEXxr/QGn7vKg=,tag:zMPbDLfLYgq0hnOp2VTF4w==,type:str]
+    INIT_POSTGRES_USER: ENC[AES256_GCM,data:TjzMZ8OqVKD/gnm4d14t9xBmkacIAKbG+vknVTB3/zDi,iv:4b6b8tMFKXpxpDckbMobb/ZPre8+8U7JFqF+mIHM7tM=,tag:5ngoUiFNPPv6XTzMDrxlCA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u79ltfzz5k79ddwgv59r76p2532xnaehzz7vggttctudr6gdkvhq33edn6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbmltMkw5aVJPTUcvTVpz
+            WEpWMUdGbFRHcitwZUpFTTViQzF2YnI3Y1RVCmE3R2lTZGF4aVpITEdIZFBNYVh5
+            RzcvYzJhZ28yeURHN3Y5Q0xnNDZOMEEKLS0tIFY0VHA0ZnRsaG4yRGViaW9JcE1R
+            ekoxSWY2dmlWK0k3bzhUdmo0ZzdvTzQKlBZSUqKIS0zDPmYiyDX/ynsV++620De6
+            FT3clq2Hev74lzkqV2NKjuJNkuPFIxSAPoySw0VYWbrxCS1ztWs8wg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-12-30T17:47:18Z"
+    mac: ENC[AES256_GCM,data:nl7zCwQ35RWka/cilFl7V3Pw5bLZGueCXX8sp43Mxr/AUtXOJPciB2fNSO8+fk+DwIjE3FHREP5EOsOlMjdnxP4Gip9hUDMYUJL9PQyDrl4CV/35aIYQRFF+PKP0yximaKebcPSULvFbZFKyXTNTlMFnK/xZHHvekosTr15xyRY=,iv:JNR7erEGqCEXBREd1uw4ufFWbdqMYpygbueBgBVBJNY=,tag:k/0UKtVODFe8dc7N4bQr9Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1
diff --git a/kubernetes/apps/identity/authentik/ks.yaml b/kubernetes/apps/identity/authentik/ks.yaml
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app authentik
+  namespace: flux-system
+spec:
+  targetNamespace: identity
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cloudnative-pg-cluster
+  path: ./kubernetes/apps/identity/authentik/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/apps/identity/kustomization.yaml b/kubernetes/apps/identity/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./authentik/ks.yaml
diff --git a/kubernetes/apps/identity/namespace.yaml b/kubernetes/apps/identity/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: identity
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/kubernetes/flux/repositories/helm/authentik.yaml b/kubernetes/flux/repositories/helm/authentik.yaml
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.goauthentik.io
+  timeout: 3m
diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml
@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
   - ./actions-runner-controller.yaml
   - ./argo.yaml
+  - ./authentik.yaml
   - ./backube.yaml
   - ./bitnami.yaml
   - ./bjw-s.yaml

diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml
@@ -8,6 +8,8 @@ stringData:
     SECRET_ADMIN_EMAIL: ENC[AES256_GCM,data:zSwdAWAIq/NKdobAWg7M0A0=,iv:lzWPB1GxVvIglnGXJdVxjRR970ADUPBDbGKUZ1Y6T9w=,tag:q87FYZ/NXHxqJgZOSotYOw==,type:str]
     SECRET_AUTHELIA_POSTGRES_PASSWORD: ENC[AES256_GCM,data:smEVsDytKtIiDriv/sh8cK6Uz3g3jx7K,iv:mBO7/o8S0joJEdPgBlzkTPmGvqwPu3xSy9/phWwBRuY=,tag:hHfS47VIyL+a1+uq9Wk99g==,type:str]
     SECRET_AUTHELIA_POSTGRES_USER: ENC[AES256_GCM,data:0FeUxnIf5Gs=,iv:5oQA4yepwmmUfytO4rurods6rn+M9q5Tojs/7EhVsBE=,tag:DBhqFgzDterJmwbAEA+1BQ==,type:str]
+    SECRET_AUTHENTIK_POSTGRES_PASSWORD: ENC[AES256_GCM,data:i7J0wZ/WR/+dP5OPWLApfiYgXd8mU0gH,iv:4Cx9Ua9NNAXJ9AzD+0rE5HaNz7eue0WSAAYNrASsMjA=,tag:AgP2774SKCuel9scsFVMOQ==,type:str]
+    SECRET_AUTHENTIK_POSTGRES_USER: ENC[AES256_GCM,data:XoVM4FG+kwr8,iv:0hVbjzNkwTnh41CjozPdpWGepSz8MynRC7wCIp2+4DE=,tag:wlLYJcK58I0VOK9ept5rEg==,type:str]
     SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:/CnIAnfEwUN1Ap8dqes0WUrMFfQP1X9WKiNy+yeRnjYghj1I,iv:6n5bg8KsvNuSWaMfskOPUJ9GaWWc6NXeHfyrKVPN1LI=,tag:fTbP+4Zcq59F/DaP3QlyPw==,type:str]
     SECRET_CLOUDNATIVE_PG_MINIO_ACCESS_KEY_ID: ENC[AES256_GCM,data:FqZo9SLHZXLX2pzNWco=,iv:kOf9BwCF1ohT03mgRITuDIzj1cUIde/bvXL632YxttM=,tag:pwjLJ/vafObaDrnyZ4/j/A==,type:str]
     SECRET_CLOUDNATIVE_PG_MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:iO5NoNCg5OOqeU3lmm7evcvf+ZelDgg7ynUCNVzSE1GSoGwuxi5H2sz5nMdCQ7MpXwTvMCzMr5Y=,iv:FzPTfrgl3ETtvkl9nflOzcJXNOtrnvkMXf/pcWlJRW8=,tag:kTQveggHnpLgZlOzEAUT0Q==,type:str]
@@ -41,8 +43,8 @@ sops:
             ckhSSHhTelhwQmRyZGhMcSthR2p1YjgK5NR2/Pzwgp7YVVx4o8QmZ82+PXVmKx+M
             sz/72X8laFp1M8Tp8gc1csFh2VhnjS7gLdqrJJ6ozYoWh/mSdxp8VQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-30T11:30:51Z"
-    mac: ENC[AES256_GCM,data:Uhwqanxd0CyYHcQufz6Bq0rpk6p3HC/50h478MEc0knwCjy4zS93jy3q3SgxIB2bw796NdLGfn5RUvzETpz3qn4vaF/qo6Mo35uBX1712mb8SQ863xC+xVpAqJLT+h2CdDsYzrjpqjg+Z3r4hzuGS/qK9koPGPPEWvUHhueHxKU=,iv:DTsgT8X+tXm1Qim2YMaBOZha4Uv69pZZPLwScriK/v0=,tag:RrUK4x6wnSEFTq0l+0qc/g==,type:str]
+    lastmodified: "2023-12-30T16:37:24Z"
+    mac: ENC[AES256_GCM,data:pyijqnQ6iEzBQd1RgO6xCvt8aFqUvvNZFEwgTbF/o1BQptY5YM9POnbMzYKWsE6M2+6+c30L4zg5Zd0Ou3I6DJUtFlts5b8V8SjGmqBfuRDX1/8jdgJuMRtP/V0isn0NUZKMHBJCkfVCKGhZtzrCxLC3MafpvCAZsSO+QO9bWxQ=,iv:Dddd8oP7h/wgJnKVSTDA+8rT0kQEaMFOczvqlJvlbTk=,tag:HXcXT2QCxAfH0amn4b7JbA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.8.1