add authentik

Signed-off-by: Michael Thomson <michael@michaelthomson.dev>
2026-02-04 13:09:53 +00:00 · 2024-10-04 20:18:31 -04:00
parent 163d3e75ed
commit 4efea3cfdd
8 changed files with 161 additions and 0 deletions
--- a/authentik/authentik-email-password.yaml
+++ b/authentik/authentik-email-password.yaml
@@ -0,0 +1,21 @@
 {
  "kind": "SealedSecret",
  "apiVersion": "bitnami.com/v1alpha1",
  "metadata": {
    "name": "authentik-email-password",
    "namespace": "authentik",
    "creationTimestamp": null
  },
  "spec": {
    "template": {
      "metadata": {
        "name": "authentik-email-password",
        "namespace": "authentik",
        "creationTimestamp": null
      }
    },
    "encryptedData": {
      "AUTHENTIK_EMAIL__PASSWORD": "AgB9S0bCYnUrxbQ/EAG7vRuUuZstQuvZ/s9kz4E4c9iyWMN6AYVkYxyFhrFy5F5Ge9Mis3m8wUjVVUTRoKIesWodLwOXWbZQ/VBldXlOLf7qXFnfHamSsrBKmNvCemZA+IWIurTqr5f08MF3uZrZ4tiYR1VJLilfxVdWEWo+hahwUuwWA/9BHhrE73XUImRuG7avhGcn6ek+s2W8inEpLfd7XN8L+dDACYJPNMwB9KJkceZDVr+vxCJVNHKWVMicxrLT1u5IdFxYDwhFceOdXVLNhr4BS/P97DUxWwVv3hWgY/sgW0sf8ghMkjeKegnSINIcQbjW3iLJn7Txi0zoQipv6XhJOEWvU0URc+CSY8VvEFVULN/TJ7/11mINTeLrHsTX14JTmugbMhMQxqn0mYGMmjGthOFgob6YC6YBu9bDi7iZWLxaIbx89wfxfR/zvrcAvWE+xpvf77X/fmINHBNhvlgeq00IDpQGEo0Hbm/sp2bdEZTtz7HSneKKcdFH/RUYnwHRLmglfHfG4a74KGwxsGv/aUogdz+PywsTEz1B22YMp/qCCJBfn9HUdsWyTmyAsqXL1zzhRPIoHdeoqztnOBdwZwH3c9W1IImUToMjxiyFW4x8CuVIDrpfBj2pAmkGo+zd4zLbumMcLlkoq1M6A5ad4QuRgSftczX6slNG32XWNbN/8eICfgbcv/6beTWIOK19c9kOdTbSJIL6e5nMWrgx/925qanG"
    }
  }
 }
--- a/authentik/authentik-postgresql-password.yaml
+++ b/authentik/authentik-postgresql-password.yaml
@@ -0,0 +1,21 @@
 {
  "kind": "SealedSecret",
  "apiVersion": "bitnami.com/v1alpha1",
  "metadata": {
    "name": "authentik-postgresql-password",
    "namespace": "authentik",
    "creationTimestamp": null
  },
  "spec": {
    "template": {
      "metadata": {
        "name": "authentik-postgresql-password",
        "namespace": "authentik",
        "creationTimestamp": null
      }
    },
    "encryptedData": {
      "AUTHENTIK_POSTGRESQL__PASSWORD": "AgBbQwrjhB1FpCCqqcK6t8u+tfvkGE4zauPEehkcgspGiTkK5gl7df6N+D2Ft8S16BL5wT3wcFL94pXousJZaASlV+P+MMD/mfpGUil2PM4nRM/BSXUDIqYYf/u5MiNDcT25DDv78K3Bg2RYZSssPNRb3r2+uTgmUAcsUKdmKm2E0fSCBMpo3+nMMPWjyUrVnZtGvJq48CxpG4DBW2awDQtFZOZkTnsXgXAyZEQOmmHNaZrRbqE7BwsMS5JEyvOW6vSYh4168fVls2fpJy389AV8OTUcwZfSzc+x3qCDkZYW+lgfW5n1R7eBD3sOOCbrNyLcHqJOgdsqetqr3Q//A7EvGbZ2WYHGTXJfwz0u61nJVNVtJPml1MybzvYUdGaunVo3fLetY/O6fEPCxDgUPAYZEhjYKYWxlosuz8KrihD1E+KNP9HP+7C04H3r1tBUelJSBcV/VAgM211TfhAxaq0Lh7O0ZaiNdt9w3fZufcwdxuRf4xuwHJKtS9GaFvprH/GF8rw9t6BHc798c7bW3S9/mym0l250KSb2WcjdZFOWYuWAPjtLrU2UjDQ79k8GuX7wx6lt8QWdiO+DFQGWV7TOXpyNfl+XA2241QVXx1SBdmCvQpimlbf9pTN5P0Op608TUVRTWGIDItaH17NDgo+qcnvNXElKzuRSwI7jmtL2H8xzQYG+0OILbc1fRatzSCRQhZExQZjZI8F8QDGXj6tiH7HwJivZCHuKOFZHImmPLKjf7FWw1BLOFgyPbgrLXfLc9A=="
    }
  }
 }
--- a/authentik/authentik-secret-key.yaml
+++ b/authentik/authentik-secret-key.yaml
@@ -0,0 +1,21 @@
 {
  "kind": "SealedSecret",
  "apiVersion": "bitnami.com/v1alpha1",
  "metadata": {
    "name": "authentik-secret-key",
    "namespace": "authentik",
    "creationTimestamp": null
  },
  "spec": {
    "template": {
      "metadata": {
        "name": "authentik-secret-key",
        "namespace": "authentik",
        "creationTimestamp": null
      }
    },
    "encryptedData": {
      "AUTHENTIK_SECRET_KEY": "AgCKZPdfiUFALKZiKEojiSSaTwT0vIpxS6gygO7A1w93Z2qdJsDEpjMXK8V0XKUPw2+FF6oWhM1akDn7lblkM3pgjW4XuySndknaSCGyNxewuhlD0FOBXz8DPoOIyFNLCYV4DRo+A+wIHHdCADpKkCheFJcKKp8whsk+ee98CHjrhrWWWJwlaH3ao5tQQVPDLwUeqrNpCjycoBTgYa4T0iuK2bZUMOhP0EEaLBqLPiHfij2gioE9PHht49poXsKvoqAOXXL1mY1j2y70YJX2rMdq7UW0gVnUHL7WFAvXxTFVAzC4Owe7XTfTf9ttxNUpnTr/Ekkh0I10wNuZElTjJZH4Jk5IV9SzHeAiSXNroowZrSnzuFRtK+z35WEaWPtWwnw6JaM9Vuj/caZCHAC6MtNJMvW/F4z/W29oK396JRilz7yR1hCzyJbVkoDuSul2bIT/eG3+EMfD0lZP/odiArf1a/wI5AD0pL4E9shplw6+EnunJlNj+BRY75jMr6K5UABkjwznAvhnGIQXg5RQ5galFukKwBaGu/Ujpq0erhAaQnBgjsLH3D9/0dRmyuuMo2ymzySO4jCAJYmZ650xKb2tgdT8fGENgIc/+EZ1vudFAIJp7mYOeEhRde6t59R6EmGMOTgLlpeyPymPbq9x7OG1otKsoYVtw1Cjcerm01VasZY6FXfld0agu+sllfmnwYVu8r81bi7t47maWOmLLsgRhdSCAky4gWwQ7zBAWTr0og43E+fXZw5TWZKfWvOWYWbIcA=="
    }
  }
 }
--- a/authentik/dns-endpoint.yaml
+++ b/authentik/dns-endpoint.yaml
@@ -0,0 +1,15 @@
 apiVersion: externaldns.k8s.io/v1alpha1
 kind: DNSEndpoint
 metadata:
  name: authentik.michaelthomson.dev
  namespace: authentik
 spec:
  endpoints:
  - dnsName: authentik.michaelthomson.dev
    recordTTL: 180
    recordType: CNAME
    targets:
      - michaelthomson.ddns.net
    providerSpecific:
      - name: external-dns.alpha.kubernetes.io/cloudflare-proxied
        value: "true"
--- a/authentik/helmrelease-authentik.yaml
+++ b/authentik/helmrelease-authentik.yaml
@@ -0,0 +1,53 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
  name: authentik
  namespace: authentik
 spec:
  chart:
    spec:
      chart: authentik
      version: 2024.8.3
      sourceRef:
        kind: HelmRepository
        name: authentik
        namespace: flux-system
  interval: 15m
  timeout: 5m
  releaseName: authentik
  values:
    global:
      envFrom:
        - secretRef:
            name: authentik-postgresql-password
        - secretRef:
            name: authentik-secret-key
        - secretRef:
            name: authentik-email-password
    server:
      ingress:
        enabled: true
        ingressClassName: traefik
        annotations:
          traefik.ingress.kubernetes.io/router.tls: "true"
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
        hosts:
          - authentik.michaelthomson.dev
        tls:
          - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
            hosts:
              - authentik.michaelthomson.dev
    postgresql:
      enabled: true
    redis:
      enabled: true
    email:
      host: mail.michaelthomson.dev
      port: 465
      username: server@michaelthomson.dev
      use_tls: true
      from: "Michael's Server <server@michaelthomson.dev>"
--- a/bootstrap/helmrepositories/helmrepository-authentik.yaml
+++ b/bootstrap/helmrepositories/helmrepository-authentik.yaml
@@ -0,0 +1,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
  name: authentik
  namespace: flux-system
 spec:
  interval: 15m
  url: https://charts.goauthentik.io/
--- a/bootstrap/kustomizations/kustomization-authentik.yaml
+++ b/bootstrap/kustomizations/kustomization-authentik.yaml
@@ -0,0 +1,18 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: authentik
  namespace: flux-system
 spec:
  interval: 15m
  path: ./authentik
  prune: true # remove any elements later removed from the above path
  timeout: 2m # if not set, this defaults to interval duration, which is 1h
  sourceRef:
    kind: GitRepository
    name: flux-system
  healthChecks:
    - apiVersion: helm.toolkit.fluxcd.io/v2beta2
      kind: HelmRelease
      name: authentik
      namespace: authentik
--- a/bootstrap/namespaces/namespace-authentik.yaml
+++ b/bootstrap/namespaces/namespace-authentik.yaml
@@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: authentik