martinohmann · martinohmann · Jan 5, 2024 · Dec 30, 2023
@@ -0,0 +1,133 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: authentik
+spec:
+  chart:
+    spec:
+      chart: authentik
+      version: 2023.10.5
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  interval: 30m
+  values:
+    controller:
+      annotations:
+        secret.reloader.stakater.com/reload: &secret authentik-secret
+    initContainers:
+      init-db:
+        image: ghcr.io/onedr0p/postgres-init:16.1
+        envFrom:
+          - secretRef:
+              name: &secret authentik-secret
+    replicas: 2
+    worker:
+      replicas: 2
+    authentik:
+      email:
+        host: ${SECRET_SMTP_HOST}
+        port: ${SECRET_SMTP_PORT}
+        from: "Authentik <${SECRET_SMTP_DEFAULT_SENDER_ADDRESS}>"
+        username: ${SECRET_SMTP_USERNAME}
+        password: ${SECRET_SMTP_PASSWORD}
+        use_tls: true
+      log_level: debug
+      error_reporting:
+        enabled: false
+    ingress:
+      enabled: true
+      ingressClassName: internal
+      annotations:
+        hajimari.io/group: identity
+        hajimari.io/icon: simple-icons:authelia
+      hosts:
+        - host: &host identity.18b.haus
+          paths:
+            - path: /
+              pathType: Prefix
+      tls:
+        - hosts:
+            - *host
+    prometheus:
+      serviceMonitor:
+        create: true
+      rules:
+        create: true
+    resources:
+      server:
+        requests:
+          cpu: 50m
+          memory: 200Mi
+        limits:
+          memory: 800Mi
+      worker:
+        requests:
+          cpu: 50m
+          memory: 200Mi
+        limits:
+          memory: 800Mi
+    redis:
+      enabled: true
+      auth:
+        enabled: true
+      master:
+        persistence:
+          enabled: true
+          storageClass: longhorn
+          size: 200Mi
+        resources:
+          requests:
+            cpu: 15m
+            memory: 50Mi
+          limits:
+            memory: 100Mi
+      commonConfiguration: |-
+        # Enable AOF https://redis.io/topics/persistence#append-only-file
+        appendonly yes
+        # Disable RDB persistence, AOF persistence already enabled.
+        save ""
+        maxmemory 94371840
+        maxmemory-policy allkeys-lru
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+        resources:
+          requests:
+            cpu: 10m
+            memory: 10Mi
+          limits:
+            memory: 20Mi
+  valuesFrom:
+    - kind: Secret
+      name: *secret
+      valuesKey: SECRET_KEY
+      targetPath: authentik.secret_key
+    - kind: Secret
+      name: *secret
+      valuesKey: REDIS_PASSWORD
+      targetPath: authentik.redis.password
+    - kind: Secret
+      name: *secret
+      valuesKey: REDIS_PASSWORD
+      targetPath: redis.auth.password
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_HOST
+      targetPath: authentik.postgresql.host
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_USER
+      targetPath: authentik.postgresql.user
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_PASS
+      targetPath: authentik.postgresql.password
+    - kind: Secret
+      name: *secret
+      valuesKey: INIT_POSTGRES_DBNAME
+      targetPath: authentik.postgresql.name
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authentik-secret
+stringData:
+    INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:FtR0KGwI6j2w,iv:a/ai+edBS4bKLT+OG637SB5GHddy6X7kF6jfQQ+MGEQ=,tag:WB6aHWKjx0ISz2g5W36y/g==,type:str]
+    INIT_POSTGRES_HOST: ENC[AES256_GCM,data:rJ9zKM+9PYyohR4Y6pDuW2AvhVp0jgMm4BwWp78AzXEnG1ByUcvFCQ==,iv:awltq5HnqZo7MSxbFEIOsuOeajIU5BWPrtBRIsF/HNc=,tag:JtSn8xmAVEQk0VkbIwcHBw==,type:str]
+    INIT_POSTGRES_PASS: ENC[AES256_GCM,data:6B3laoW3bTvFtha4bUT5vv04aVieeef0,iv:FB7esh7ivfz4RYFgK0RCL/L3phv9c6/9f6key8Thtkk=,tag:FvGnQVuphK463bcH9qgxzw==,type:str]
+    INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:VcGOw+GfWp3UUvO6368Yt5y56D+JmYb7GAVDpvfQAX2t,iv:02KCwA46nzX8rq3A6Wci8KotAZjr9nnEXxr/QGn7vKg=,tag:zMPbDLfLYgq0hnOp2VTF4w==,type:str]
+    INIT_POSTGRES_USER: ENC[AES256_GCM,data:c0NYVxhkMl2A,iv:rbqXHK8MTq0XovS7Nd4+7Ts3EjeQUps8zYmeTf/beIE=,tag:kTz6upYh9nU5wsgHXxgD3w==,type:str]
+    REDIS_PASSWORD: ENC[AES256_GCM,data:v8qXmmu8xkw+ocj4Wa3hZbrWhhZS4eoY,iv:rzRLZJZBlHF2bspvI1hsd3vO54I4YySi/SELHXHEgDA=,tag:OhAYThd84tTZIG7UzsKxNQ==,type:str]
+    SECRET_KEY: ENC[AES256_GCM,data:ZAdt5u+gBsHps/HcEtTNbFsx1Ulrs5Osgocw/ueHdK2+u81WjLdB/r2b6NXLgFxYi3s=,iv:Uwn4MSCcikcevZ8S6AjlGAgZv4XV+8nzeAoNvrMsX4U=,tag:NEiVeGw6U0JrvIQmbGFxWw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u79ltfzz5k79ddwgv59r76p2532xnaehzz7vggttctudr6gdkvhq33edn6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQbmltMkw5aVJPTUcvTVpz
+            WEpWMUdGbFRHcitwZUpFTTViQzF2YnI3Y1RVCmE3R2lTZGF4aVpITEdIZFBNYVh5
+            RzcvYzJhZ28yeURHN3Y5Q0xnNDZOMEEKLS0tIFY0VHA0ZnRsaG4yRGViaW9JcE1R
+            ekoxSWY2dmlWK0k3bzhUdmo0ZzdvTzQKlBZSUqKIS0zDPmYiyDX/ynsV++620De6
+            FT3clq2Hev74lzkqV2NKjuJNkuPFIxSAPoySw0VYWbrxCS1ztWs8wg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-05T13:02:06Z"
+    mac: ENC[AES256_GCM,data:ErHphxf/T84T08gdjvz0R5j42G4YD0wkMUBmiAsz4QlXKoTEOn6bjNO7HeqV16m0tQmwl0fEEOaQTiK151IZXJFAeukVxq5d6MoiI0VRO9l9BnW9+KmSGROHrjMEJJjQw4fsZw8JGjf42BjLDhSoJDS212QdWl2M+1C5c8w5iN8=,iv:mYmSuOqqngrfKhsQ+MAEPDmqCOvmbIXGH2oQWsiNXbA=,tag:skCqeGQjVVIk/MYkByVG6A==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1
@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app authentik
+  namespace: flux-system
+spec:
+  targetNamespace: identity
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cloudnative-pg-cluster
+  path: ./kubernetes/apps/identity/authentik/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./authentik/ks.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: identity
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.18b.haus/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://charts.goauthentik.io
+  timeout: 3m
@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
   - ./actions-runner-controller.yaml
   - ./argo.yaml
+  - ./authentik.yaml
   - ./backube.yaml
   - ./bitnami.yaml
   - ./bjw-s.yaml