From 829a5a3fd851f3564a6a21aef48e75db7cccddc7 Mon Sep 17 00:00:00 2001 From: Lumpiasty Date: Sat, 14 Mar 2026 20:08:48 +0100 Subject: [PATCH] add authentik deployment --- apps/authentik/kustomization.yaml | 8 ++++ apps/authentik/namespace.yaml | 4 ++ apps/authentik/postgres-cluster.yaml | 23 +++++++++++ apps/authentik/postgres-volume.yaml | 33 +++++++++++++++ apps/authentik/release.yaml | 61 ++++++++++++++++++++++++++++ apps/authentik/secret.yaml | 38 +++++++++++++++++ apps/kustomization.yaml | 1 + 7 files changed, 168 insertions(+) create mode 100644 apps/authentik/kustomization.yaml create mode 100644 apps/authentik/namespace.yaml create mode 100644 apps/authentik/postgres-cluster.yaml create mode 100644 apps/authentik/postgres-volume.yaml create mode 100644 apps/authentik/release.yaml create mode 100644 apps/authentik/secret.yaml diff --git a/apps/authentik/kustomization.yaml b/apps/authentik/kustomization.yaml new file mode 100644 index 0000000..aabcd8b --- /dev/null +++ b/apps/authentik/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - postgres-volume.yaml + - postgres-cluster.yaml + - secret.yaml + - release.yaml diff --git a/apps/authentik/namespace.yaml b/apps/authentik/namespace.yaml new file mode 100644 index 0000000..bb24d8d --- /dev/null +++ b/apps/authentik/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authentik diff --git a/apps/authentik/postgres-cluster.yaml b/apps/authentik/postgres-cluster.yaml new file mode 100644 index 0000000..112e4c4 --- /dev/null +++ b/apps/authentik/postgres-cluster.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: authentik-postgresql-cluster-lvmhdd + namespace: authentik +spec: + instances: 1 + + imageName: ghcr.io/cloudnative-pg/postgresql:17.4 + + bootstrap: + initdb: + database: authentik + owner: authentik + + storage: + pvcTemplate: + storageClassName: hdd-lvmpv + resources: + requests: + storage: 10Gi + volumeName: authentik-postgresql-cluster-lvmhdd-1 diff --git a/apps/authentik/postgres-volume.yaml b/apps/authentik/postgres-volume.yaml new file mode 100644 index 0000000..77b94d9 --- /dev/null +++ b/apps/authentik/postgres-volume.yaml @@ -0,0 +1,33 @@ +apiVersion: local.openebs.io/v1alpha1 +kind: LVMVolume +metadata: + labels: + kubernetes.io/nodename: anapistula-delrosalae + name: authentik-postgresql-cluster-lvmhdd-1 + namespace: openebs +spec: + capacity: 10Gi + ownerNodeID: anapistula-delrosalae + shared: "yes" + thinProvision: "no" + vgPattern: ^openebs-hdd$ + volGroup: openebs-hdd +--- +kind: PersistentVolume +apiVersion: v1 +metadata: + name: authentik-postgresql-cluster-lvmhdd-1 +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: hdd-lvmpv + volumeMode: Filesystem + csi: + driver: local.csi.openebs.io + fsType: btrfs + volumeHandle: authentik-postgresql-cluster-lvmhdd-1 +--- +# PVCs are dynamically created by the Postgres operator diff --git a/apps/authentik/release.yaml b/apps/authentik/release.yaml new file mode 100644 index 0000000..2740ad9 --- /dev/null +++ b/apps/authentik/release.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: authentik + namespace: authentik +spec: + interval: 24h + url: https://charts.goauthentik.io +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: authentik + namespace: authentik +spec: + interval: 30m + chart: + spec: + chart: authentik + version: 2026.2.1 + sourceRef: + kind: HelmRepository + name: authentik + namespace: authentik + interval: 12h + values: + authentik: + postgresql: + host: authentik-postgresql-cluster-lvmhdd-rw + name: authentik + user: authentik + + global: + env: + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: authentik-secret + key: secret_key + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: authentik-postgresql-cluster-lvmhdd-app + key: password + + postgresql: + enabled: false + + server: + ingress: + enabled: true + ingressClassName: nginx-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt + hosts: + - authentik.lumpiasty.xyz + tls: + - secretName: authentik-ingress + hosts: + - authentik.lumpiasty.xyz diff --git a/apps/authentik/secret.yaml b/apps/authentik/secret.yaml new file mode 100644 index 0000000..d2520b0 --- /dev/null +++ b/apps/authentik/secret.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: authentik-secret + namespace: authentik +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: authentik + namespace: authentik +spec: + method: kubernetes + mount: kubernetes + kubernetes: + role: authentik + serviceAccount: authentik-secret +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: authentik-secret + namespace: authentik +spec: + type: kv-v2 + + mount: secret + path: authentik + + destination: + create: true + name: authentik-secret + type: Opaque + transformation: + excludeRaw: true + + vaultAuthRef: authentik diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml index a92f5b0..6b92ee5 100644 --- a/apps/kustomization.yaml +++ b/apps/kustomization.yaml @@ -1,6 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - authentik - gitea - renovate - librechat