From b911fa594de5e0674d9ddc51ac3ef996b2924c34 Mon Sep 17 00:00:00 2001 From: Michael Thomson Date: Thu, 23 Nov 2023 09:14:20 -0500 Subject: [PATCH] authentik --- authentik/dns-endpoint-authentik.yaml | 12 + authentik/helmrelease-authentik.yaml | 320 ++++++++++++++++++ ...edsecret-authentik-bootstrap-password.yaml | 21 ++ ...dsecret-authentik-postgresql-password.yaml | 21 ++ .../sealedsecret-authentik-secret-key.yaml | 21 ++ .../helmrepository-authentik.yaml | 8 + .../kustomization-authentik.yaml | 20 ++ bootstrap/namespaces/namespace-authentik.yaml | 4 + 8 files changed, 427 insertions(+) create mode 100644 authentik/dns-endpoint-authentik.yaml create mode 100644 authentik/helmrelease-authentik.yaml create mode 100644 authentik/sealedsecret-authentik-bootstrap-password.yaml create mode 100644 authentik/sealedsecret-authentik-postgresql-password.yaml create mode 100644 authentik/sealedsecret-authentik-secret-key.yaml create mode 100644 bootstrap/helmrepositories/helmrepository-authentik.yaml create mode 100644 bootstrap/kustomizations/kustomization-authentik.yaml create mode 100644 bootstrap/namespaces/namespace-authentik.yaml diff --git a/authentik/dns-endpoint-authentik.yaml b/authentik/dns-endpoint-authentik.yaml new file mode 100644 index 0000000..c35a551 --- /dev/null +++ b/authentik/dns-endpoint-authentik.yaml @@ -0,0 +1,12 @@ +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: authentik.michaelthomson.dev + namespace: authentik +spec: + endpoints: + - dnsName: authentik.michaelthomson.dev + recordTTL: 180 + recordType: CNAME + targets: + - server.michaelthomson.dev diff --git a/authentik/helmrelease-authentik.yaml b/authentik/helmrelease-authentik.yaml new file mode 100644 index 0000000..b335e3b --- /dev/null +++ b/authentik/helmrelease-authentik.yaml @@ -0,0 +1,320 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: authentik + namespace: authentik +spec: + chart: + spec: + chart: authentik + version: 2023.10.x + sourceRef: + kind: HelmRepository + name: authentik + namespace: flux-system + interval: 15m + timeout: 5m + releaseName: authentik + values: + # -- Server replicas + replicas: 1 + # -- Custom priority class for different treatment by the scheduler + priorityClassName: + # -- server securityContext + securityContext: {} + # -- server containerSecurityContext + containerSecurityContext: {} + # -- server deployment strategy + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + worker: + # -- worker replicas + replicas: 1 + # -- Custom priority class for different treatment by the scheduler + priorityClassName: + # -- worker securityContext + securityContext: {} + # -- worker containerSecurityContext + containerSecurityContext: {} + # -- worker strategy + strategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 25% + # maxUnavailable: 25% + + image: + repository: ghcr.io/goauthentik/server + tag: 2023.10.4 + # -- optional container image digest + digest: "" + pullPolicy: IfNotPresent + pullSecrets: [] + + # -- Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used + initContainers: {} + + # -- Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used. + additionalContainers: {} + + ingress: + enabled: true + ingressClassName: "traefik" + annotations: {} + labels: {} + hosts: + - host: authentik.michaelthomson.dev + paths: + - path: "/" + pathType: Prefix + tls: + - secretName: letsencrypt-wildcard-cert-michaelthomson.dev + hosts: + - authentik.michaelthomson.dev + + # -- Annotations to add to the server and worker deployments + annotations: {} + + # -- Annotations to add to the server and worker pods + podAnnotations: {} + + authentik: + # -- Log level for server and worker + log_level: info + # -- Secret key used for cookie singing and unique user IDs, + # don't change this after the first install + # secret_key: "${AUTHENTIK_SECRET_KEY}" + # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled. + geoip: /geoip/GeoLite2-City.mmdb + email: + # -- SMTP Server emails are sent from, fully optional + host: "" + port: 587 + # -- SMTP credentials, when left empty, not authentication will be done + username: "" + # -- SMTP credentials, when left empty, not authentication will be done + password: "" + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_tls: false + # -- Enable either use_tls or use_ssl, they can't be enabled at the same time. + use_ssl: false + # -- Connection timeout + timeout: 30 + # -- Email from address, can either be in the format "foo@bar.baz" or "authentik " + from: "" + outposts: + # -- Template used for managed outposts. The following placeholders can be used + # %(type)s - the type of the outpost + # %(version)s - version of your authentik install + # %(build_hash)s - only for beta versions, the build hash of the image + container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s + error_reporting: + # -- This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.beryju.org, and is fully opt-in + enabled: false + # -- This is a string that is sent to sentry with your error reports + environment: "k8s" + # -- Send PII (Personally identifiable information) data to sentry + send_pii: false + postgresql: + # -- set the postgresql hostname to talk to + # if unset and .Values.postgresql.enabled == true, will generate the default + # @default -- `{{ .Release.Name }}-postgresql` + host: "{{ .Release.Name }}-postgresql" + # -- postgresql Database name + # @default -- `authentik` + name: "authentik" + # -- postgresql Username + # @default -- `authentik` + user: "authentik" + # password: "${AUTHENTIK_POSTGRESQL__PASSWORD}" + port: 5432 + redis: + # -- set the redis hostname to talk to + # @default -- `{{ .Release.Name }}-redis-master` + host: "{{ .Release.Name }}-redis-master" + password: "" + + # -- List of config maps to mount blueprints from. Only keys in the + # configmap ending with ".yaml" wil be discovered and applied + blueprints: [] + + # -- see configuration options at https://goauthentik.io/docs/installation/configuration/ + env: {} + + envFrom: [] + # - configMapRef: + # name: special-config + + envValueFrom: + AUTHENTIK_SECRET_KEY: + secretKeyRef: + name: authentik-secret-key + key: secret-key + AUTHENTIK_BOOTSTRAP_PASSWORD: + secretKeyRef: + name: authentik-bootstrap-password + key: bootstrap-password + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + name: authentik-postgresql-password + key: postgresql-password + + service: + # -- Service that is created to access authentik + enabled: true + type: ClusterIP + port: 80 + name: http + protocol: TCP + labels: {} + annotations: {} + + volumes: [] + + volumeMounts: [] + + # -- affinity applied to the deployments + affinity: {} + + # -- tolerations applied to the deployments + tolerations: [] + + # -- nodeSelector applied to the deployments + nodeSelector: {} + + resources: + server: {} + worker: {} + + autoscaling: + server: + # -- Create a HPA for the server deployment + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + worker: + # -- Create a HPA for the worker deployment + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 80 + + pdb: + server: + # -- Deploy a PodDistrubtionBudget for the server + enabled: false + # -- Labels to be added to the server pdb + labels: {} + # -- Annotations to be added to the server pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) + ## Has higher precedence over `pdb.server.minAvailable` + maxUnavailable: "" + worker: + # -- Deploy a PodDistrubtionBudget for the worker + enabled: false + # -- Labels to be added to the worker pdb + labels: {} + # -- Annotations to be added to the worker pdb + annotations: {} + # -- Number of pods that are available after eviction as number or percentage (eg.: 50%) + # @default -- `""` (defaults to 0 if not specified) + minAvailable: "" + # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%) + ## Has higher precedence over `pdb.worker.minAvailable` + maxUnavailable: "" + + livenessProbe: + # -- enables or disables the livenessProbe + enabled: true + httpGet: + # -- liveness probe url path + path: /-/health/live/ + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + + startupProbe: + # -- enables or disables the livenessProbe + enabled: true + httpGet: + # -- liveness probe url path + path: /-/health/live/ + port: http + failureThreshold: 60 + periodSeconds: 5 + + readinessProbe: + enabled: true + httpGet: + path: /-/health/ready/ + port: http + periodSeconds: 10 + + serviceAccount: + # -- Service account is needed for managed outposts + create: true + annotations: {} + serviceAccountSecret: + # -- As we use the authentik-remote-cluster chart as subchart, and that chart + # creates a service account secret by default which we don't need here, disable its creation + enabled: false + fullnameOverride: authentik + nameOverride: authentik + + prometheus: + serviceMonitor: + create: false + interval: 30s + scrapeTimeout: 3s + # -- labels additional on ServiceMonitor + labels: {} + rules: + create: false + # -- labels additional on PrometheusRule + labels: {} + + geoip: + # -- optional GeoIP, deploys a cronjob to download the maxmind database + enabled: false + # -- sign up under https://www.maxmind.com/en/geolite2/signup + accountId: "" + # -- sign up under https://www.maxmind.com/en/geolite2/signup + licenseKey: "" + editionIds: "GeoLite2-City" + image: maxmindinc/geoipupdate:v4.8 + # -- number of hours between update runs + updateInterval: 8 + # -- server containerSecurityContext + containerSecurityContext: {} + postgresql: + # -- enable the bundled bitnami postgresql chart + enabled: true + postgresqlMaxConnections: 500 + postgresqlUsername: "authentik" + # postgresqlPassword: "${AUTHENTIK_POSTGRESQL__PASSWORD}" + postgresqlDatabase: "authentik" + persistence: + enabled: true + storageClass: longhorn + # accessModes: + # - ReadWriteOnce + image: + tag: 15.4.0-debian-11-r0 + redis: + # -- enable the bundled bitnami redis chart + enabled: true + architecture: standalone + auth: + enabled: false + image: + tag: 6.2.10-debian-11-r13 diff --git a/authentik/sealedsecret-authentik-bootstrap-password.yaml b/authentik/sealedsecret-authentik-bootstrap-password.yaml new file mode 100644 index 0000000..a8c97eb --- /dev/null +++ b/authentik/sealedsecret-authentik-bootstrap-password.yaml @@ -0,0 +1,21 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "authentik-bootstrap-password", + "namespace": "authentik", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "authentik-bootstrap-password", + "namespace": "authentik", + "creationTimestamp": null + } + }, + "encryptedData": { + "bootstrap-password": "AgA9pO4QxCh6T+B1zfEt6CArLi8hlu6Fu1Usrwl3xzJS3K4DI7gvQ8mjgDRZUv+5pbtbdU0RuLT3MFLp2iFIFYs71YL0Pv9Sq1sbE8v1iZIJ2lA2BPSKGm6FrkJYNwQbpq9CXupZn4StZUmvkqBZ9K+H9t98bp04Uv3WbuZVC3aRUFgVv6bDKdIKL9MVY5yJrBbkdfCiBh/zocfWSKEe80/inqYH4VMgYJxHqETkQPtUrfbotwmmtp7+9ZXvgCQz0NmO9XF75XbCZLb2vieqcJV0UG92DI1SbcuZ6rdRH/B/TAcByf3dMQGlD/VNNA19qwpkIjWwmsilg9cjiRpW1rGNBDVfU9SwZkhVPrIbb6cHa8lhZcIXs22VV8QZ9pbQZnvjSW0QXqpIHm+YRC/qyn+XkYB1FMvTK61UN66yPiOIM/wBrUBNxbFN6LHXRCqQo3U4W8fEOMlbsmCU0gtXmrb361B83DfDkFxo3y7I6j9voHqhVLhW8awfSZ8pJcYBFRyG7HE9m+vdfYKHopb+s+9hDp0U0nYK8SlBXtb+Jbb/NKnJA2zu389dVh5bjnjM/J5pv6bo9Nsfm6GuomFTTXgoxwI5CE11730RmfuzeNoC2qtZ6pWcIQhD4O+VxzZikwh/wd04Y2nNRbRYBkcItWWB+uQvHd/IYX8HQPQV9gNAF/eXEOLpJa4ka9u05kx8/uygcuoXUa45nCz7MpP02gKOTx9kQyyDmvmi38Z3MD0=" + } + } +} diff --git a/authentik/sealedsecret-authentik-postgresql-password.yaml b/authentik/sealedsecret-authentik-postgresql-password.yaml new file mode 100644 index 0000000..be6cf3b --- /dev/null +++ b/authentik/sealedsecret-authentik-postgresql-password.yaml @@ -0,0 +1,21 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "authentik-postgresql-password", + "namespace": "authentik", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "authentik-postgresql-password", + "namespace": "authentik", + "creationTimestamp": null + } + }, + "encryptedData": { + "postgresql-password": "AgAu6ZcMSYcquAY1vI46E7HBfcC5UgnpUinBSZx6zUtCT/1ExxuMQd70vgFhoBiFDP83pzn1e7VvCq4uxp1bnRjYZYx+VjTvnmuk1w9rEiyzFSFpQaKLkH1PDrzIIMr1R/MKWyWIiOnyWagHL4Rw+S/+rub4vfvY0BvZF4zQIwfkZGTXdFn7jl+Uu0zRYhTSv4hNserK70dgiJAfdexqA2p4Gb3Ml1JNqvntbJmwSF6D4BpLw8CzilhNQPwHbamoZk+PrZ43qCjBrHehaxBg10nNyYuvJKDPB872tjyXeRKtTj8xqC/kXj30CK9XOf+mG7BtE2frmorz7ee4FeoYMx03XlriTedGs8lLLarD7iSXgGz35H+61iLcLOKZQDTcUez/RjT4JdZvEZEpNCb6pwzTafwcfo0Z8Wm/Q0vps07xrntG0oLqF8YtjYlWGBnTdOvdHBaP5f0wzdWOhQLOoPyHY5qy3vAnR50gTHEj4cekQ6g1Ghhu3m288mWDxQviUYH33qm26Gijin2jRTRr6TCE/JVrDkDAHHsEjAdB72W4PPIP7keaLh/auCQ0QwvHIq+4cEq67ZLiYnfhoOjq0PYGFGBuQF9DYabktIDXoBS9SVnd7pPqMQkOZ4FQfkajjjtdfH/WYzJDrxkFxfS8Rx1oD3hErk5IZvYoLiOXueH/nCaW3TD98trDZdyQNiRM0yU8H36o0oT5ta7JrLRSVBZcvI1KUj+r90jMm18H3nM=" + } + } +} diff --git a/authentik/sealedsecret-authentik-secret-key.yaml b/authentik/sealedsecret-authentik-secret-key.yaml new file mode 100644 index 0000000..6226966 --- /dev/null +++ b/authentik/sealedsecret-authentik-secret-key.yaml @@ -0,0 +1,21 @@ +{ + "kind": "SealedSecret", + "apiVersion": "bitnami.com/v1alpha1", + "metadata": { + "name": "authentik-secret-key", + "namespace": "authentik", + "creationTimestamp": null + }, + "spec": { + "template": { + "metadata": { + "name": "authentik-secret-key", + "namespace": "authentik", + "creationTimestamp": null + } + }, + "encryptedData": { + "secret-key": "AgDZN7Hy3vnFapuJ/rqt3r2zEA3ctb/LZqDkGDd+2YnvT8ChWnAbQ4xMXcE1/3VoKD4GuCGpJ7Q0hfQSpDz701v+HoBcKo4oUxuowh4M3IfEixQhjVKHMuTIVnSgO3asFhap8Z1XcrzLc7HPA4AMtUuB7rJcQC11v2QFoyYVPVvvqFYpyQTD0zBZ43nm3SI891flRC6vdgpfNfHn8xaLWxyKaQkflrsGbnOolekZsO0N/2XFVsOtUqpRjjwlclr0CcTGW6EyFlzYK9q/94Yj0Ss0oS68zhjfZM9EPnXl7xDlKXyI33tCpGLtgrqecXwRfKsOU8sKoadeGNgDyTxRAPrr0QomsCu9Uflla7Os+EJ2SmSxDf/6tBsx8Zni9kQ7uuXpUPcD29CqakeTxKu4p77UlCWw9fgdeRmXCiXcYk0FvO1nmpLJRcUGWOrg8VkgSPumaURzyxuegmN2bm/HnJwrLEe5/DQPxSoJgepdc64Np6IRLv6yAvF5+Z4DMwSL4/lZ/4sfE6ZYwYZ8DkO3RJ8sWQ926Ka+tiMDV4xKAYISxlShp0K3bys7r4T8P4u1t89maLr4urjynWHREiIh6ICx5so0eOIXEB9gA89q97ZXG3blbF7IFg45nB2dpfctPkZBqMvSUdZGqAVkp1peRzd0+zpBgKbjeYkwAHEqWfNLRfW8wW9wICDORTLyJ6M+mq+mX3DhKfHe2FQI7x7eHmjoHz7I55/pp+QK05a1B/U=" + } + } +} diff --git a/bootstrap/helmrepositories/helmrepository-authentik.yaml b/bootstrap/helmrepositories/helmrepository-authentik.yaml new file mode 100644 index 0000000..c0708a2 --- /dev/null +++ b/bootstrap/helmrepositories/helmrepository-authentik.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: authentik + namespace: flux-system +spec: + interval: 15m + url: https://charts.goauthentik.io/ diff --git a/bootstrap/kustomizations/kustomization-authentik.yaml b/bootstrap/kustomizations/kustomization-authentik.yaml new file mode 100644 index 0000000..5fc3087 --- /dev/null +++ b/bootstrap/kustomizations/kustomization-authentik.yaml @@ -0,0 +1,20 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: authentik + namespace: flux-system +spec: + interval: 30m + path: ./authentik + dependsOn: + - name: "sealed-secrets" + prune: true # remove any elements later removed from the above path + timeout: 2m # if not set, this defaults to interval duration, which is 1h + sourceRef: + kind: GitRepository + name: flux-system + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2beta1 + kind: HelmRelease + name: authentik + namespace: authentik diff --git a/bootstrap/namespaces/namespace-authentik.yaml b/bootstrap/namespaces/namespace-authentik.yaml new file mode 100644 index 0000000..bb24d8d --- /dev/null +++ b/bootstrap/namespaces/namespace-authentik.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authentik