authentik

authentik/dns-endpoint-authentik.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: authentik.michaelthomson.dev
+  namespace: authentik
+spec:
+  endpoints:
+  - dnsName: authentik.michaelthomson.dev
+    recordTTL: 180
+    recordType: CNAME
+    targets:
+    - server.michaelthomson.dev

authentik/helmrelease-authentik.yaml

@@ -0,0 +1,320 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  chart:
+    spec:
+      chart: authentik
+      version: 2023.10.x
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  interval: 15m
+  timeout: 5m
+  releaseName: authentik
+  values:
+    # -- Server replicas
+    replicas: 1
+    # -- Custom priority class for different treatment by the scheduler
+    priorityClassName:
+    # -- server securityContext
+    securityContext: {}
+    # -- server containerSecurityContext
+    containerSecurityContext: {}
+    # -- server deployment strategy
+    strategy: {}
+      # type: RollingUpdate
+      # rollingUpdate:
+      #  maxSurge: 25%
+      #  maxUnavailable: 25%
+
+    worker:
+      # -- worker replicas
+      replicas: 1
+      # -- Custom priority class for different treatment by the scheduler
+      priorityClassName:
+      # -- worker securityContext
+      securityContext: {}
+      # -- worker containerSecurityContext
+      containerSecurityContext: {}
+      # -- worker strategy
+      strategy: {}
+        # type: RollingUpdate
+        # rollingUpdate:
+        #  maxSurge: 25%
+        #  maxUnavailable: 25%
+
+    image:
+      repository: ghcr.io/goauthentik/server
+      tag: 2023.10.4
+      # -- optional container image digest
+      digest: ""
+      pullPolicy: IfNotPresent
+      pullSecrets: []
+
+    # -- Specify any initContainers here as dictionary items. Each initContainer should have its own key. The dictionary item key will determine the order. Helm templates can be used
+    initContainers: {}
+
+    # -- Specify any additional containers here as dictionary items. Each additional container should have its own key. Helm templates can be used.
+    additionalContainers: {}
+
+    ingress:
+      enabled: true
+      ingressClassName: "traefik"
+      annotations: {}
+      labels: {}
+      hosts:
+        - host: authentik.michaelthomson.dev
+          paths:
+            - path: "/"
+              pathType: Prefix
+      tls:
+        - secretName: letsencrypt-wildcard-cert-michaelthomson.dev
+          hosts:
+            - authentik.michaelthomson.dev
+
+    # -- Annotations to add to the server and worker deployments
+    annotations: {}
+
+    # -- Annotations to add to the server and worker pods
+    podAnnotations: {}
+
+    authentik:
+      # -- Log level for server and worker
+      log_level: info
+      # -- Secret key used for cookie singing and unique user IDs,
+      # don't change this after the first install
+      # secret_key: "${AUTHENTIK_SECRET_KEY}"
+      # -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled.
+      geoip: /geoip/GeoLite2-City.mmdb
+      email:
+        # -- SMTP Server emails are sent from, fully optional
+        host: ""
+        port: 587
+        # -- SMTP credentials, when left empty, not authentication will be done
+        username: ""
+        # -- SMTP credentials, when left empty, not authentication will be done
+        password: ""
+        # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
+        use_tls: false
+        # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
+        use_ssl: false
+        # -- Connection timeout
+        timeout: 30
+        # -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
+        from: ""
+      outposts:
+        # -- Template used for managed outposts. The following placeholders can be used
+        # %(type)s - the type of the outpost
+        # %(version)s - version of your authentik install
+        # %(build_hash)s - only for beta versions, the build hash of the image
+        container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
+      error_reporting:
+        # -- This sends anonymous usage-data, stack traces on errors and
+        # performance data to sentry.beryju.org, and is fully opt-in
+        enabled: false
+        # -- This is a string that is sent to sentry with your error reports
+        environment: "k8s"
+        # -- Send PII (Personally identifiable information) data to sentry
+        send_pii: false
+      postgresql:
+        # -- set the postgresql hostname to talk to
+        # if unset and .Values.postgresql.enabled == true, will generate the default
+        # @default -- `{{ .Release.Name }}-postgresql`
+        host: "{{ .Release.Name }}-postgresql"
+        # -- postgresql Database name
+        # @default -- `authentik`
+        name: "authentik"
+        # -- postgresql Username
+        # @default -- `authentik`
+        user: "authentik"
+        # password: "${AUTHENTIK_POSTGRESQL__PASSWORD}"
+        port: 5432
+      redis:
+        # -- set the redis hostname to talk to
+        # @default -- `{{ .Release.Name }}-redis-master`
+        host: "{{ .Release.Name }}-redis-master"
+        password: ""
+
+    # -- List of config maps to mount blueprints from. Only keys in the
+    # configmap ending with ".yaml" wil be discovered and applied
+    blueprints: []
+
+    # -- see configuration options at https://goauthentik.io/docs/installation/configuration/
+    env: {}
+
+    envFrom: []
+    #  - configMapRef:
+    #      name: special-config
+
+    envValueFrom:
+      AUTHENTIK_SECRET_KEY:
+        secretKeyRef:
+          name: authentik-secret-key
+          key: secret-key
+      AUTHENTIK_BOOTSTRAP_PASSWORD:
+        secretKeyRef:
+          name: authentik-bootstrap-password
+          key: bootstrap-password
+      AUTHENTIK_POSTGRESQL__PASSWORD:
+        secretKeyRef:
+          name: authentik-postgresql-password
+          key: postgresql-password
+
+    service:
+      # -- Service that is created to access authentik
+      enabled: true
+      type: ClusterIP
+      port: 80
+      name: http
+      protocol: TCP
+      labels: {}
+      annotations: {}
+
+    volumes: []
+
+    volumeMounts: []
+
+    # -- affinity applied to the deployments
+    affinity: {}
+
+    #  -- tolerations applied to the deployments
+    tolerations: []
+
+    # -- nodeSelector applied to the deployments
+    nodeSelector: {}
+
+    resources:
+      server: {}
+      worker: {}
+
+    autoscaling:
+      server:
+        # -- Create a HPA for the server deployment
+        enabled: false
+        minReplicas: 1
+        maxReplicas: 5
+        targetCPUUtilizationPercentage: 50
+      worker:
+        # -- Create a HPA for the worker deployment
+        enabled: false
+        minReplicas: 1
+        maxReplicas: 5
+        targetCPUUtilizationPercentage: 80
+
+    pdb:
+      server:
+        # -- Deploy a PodDistrubtionBudget for the server
+        enabled: false
+        # -- Labels to be added to the server pdb
+        labels: {}
+        # -- Annotations to be added to the server pdb
+        annotations: {}
+        # -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
+        # @default -- `""` (defaults to 0 if not specified)
+        minAvailable: ""
+        # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
+        ## Has higher precedence over `pdb.server.minAvailable`
+        maxUnavailable: ""
+      worker:
+        # -- Deploy a PodDistrubtionBudget for the worker
+        enabled: false
+        # -- Labels to be added to the worker pdb
+        labels: {}
+        # -- Annotations to be added to the worker pdb
+        annotations: {}
+        # -- Number of pods that are available after eviction as number or percentage (eg.: 50%)
+        # @default -- `""` (defaults to 0 if not specified)
+        minAvailable: ""
+        # -- Number of pods that are unavailable after eviction as number or percentage (eg.: 50%)
+        ## Has higher precedence over `pdb.worker.minAvailable`
+        maxUnavailable: ""
+
+    livenessProbe:
+      # -- enables or disables the livenessProbe
+      enabled: true
+      httpGet:
+        # -- liveness probe url path
+        path: /-/health/live/
+        port: http
+      initialDelaySeconds: 5
+      periodSeconds: 10
+
+    startupProbe:
+      # -- enables or disables the livenessProbe
+      enabled: true
+      httpGet:
+        # -- liveness probe url path
+        path: /-/health/live/
+        port: http
+      failureThreshold: 60
+      periodSeconds: 5
+
+    readinessProbe:
+      enabled: true
+      httpGet:
+        path: /-/health/ready/
+        port: http
+      periodSeconds: 10
+
+    serviceAccount:
+      # -- Service account is needed for managed outposts
+      create: true
+      annotations: {}
+      serviceAccountSecret:
+        # -- As we use the authentik-remote-cluster chart as subchart, and that chart
+        # creates a service account secret by default which we don't need here, disable its creation
+        enabled: false
+      fullnameOverride: authentik
+      nameOverride: authentik
+
+    prometheus:
+      serviceMonitor:
+        create: false
+        interval: 30s
+        scrapeTimeout: 3s
+        # -- labels additional on ServiceMonitor
+        labels: {}
+      rules:
+        create: false
+        # -- labels additional on PrometheusRule
+        labels: {}
+
+    geoip:
+      # -- optional GeoIP, deploys a cronjob to download the maxmind database
+      enabled: false
+      # -- sign up under https://www.maxmind.com/en/geolite2/signup
+      accountId: ""
+      # -- sign up under https://www.maxmind.com/en/geolite2/signup
+      licenseKey: ""
+      editionIds: "GeoLite2-City"
+      image: maxmindinc/geoipupdate:v4.8
+      # -- number of hours between update runs
+      updateInterval: 8
+      # -- server containerSecurityContext
+      containerSecurityContext: {}
+    postgresql:
+      # -- enable the bundled bitnami postgresql chart
+      enabled: true
+      postgresqlMaxConnections: 500
+      postgresqlUsername: "authentik"
+      # postgresqlPassword: "${AUTHENTIK_POSTGRESQL__PASSWORD}"
+      postgresqlDatabase: "authentik"
+      persistence:
+        enabled: true
+        storageClass: longhorn
+      #   accessModes:
+      #     - ReadWriteOnce
+      image:
+        tag: 15.4.0-debian-11-r0
+    redis:
+      # -- enable the bundled bitnami redis chart
+      enabled: true
+      architecture: standalone
+      auth:
+        enabled: false
+      image:
+        tag: 6.2.10-debian-11-r13

authentik/sealedsecret-authentik-bootstrap-password.yaml

@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "authentik-bootstrap-password",
+    "namespace": "authentik",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "authentik-bootstrap-password",
+        "namespace": "authentik",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "bootstrap-password": "AgA9pO4QxCh6T+B1zfEt6CArLi8hlu6Fu1Usrwl3xzJS3K4DI7gvQ8mjgDRZUv+5pbtbdU0RuLT3MFLp2iFIFYs71YL0Pv9Sq1sbE8v1iZIJ2lA2BPSKGm6FrkJYNwQbpq9CXupZn4StZUmvkqBZ9K+H9t98bp04Uv3WbuZVC3aRUFgVv6bDKdIKL9MVY5yJrBbkdfCiBh/zocfWSKEe80/inqYH4VMgYJxHqETkQPtUrfbotwmmtp7+9ZXvgCQz0NmO9XF75XbCZLb2vieqcJV0UG92DI1SbcuZ6rdRH/B/TAcByf3dMQGlD/VNNA19qwpkIjWwmsilg9cjiRpW1rGNBDVfU9SwZkhVPrIbb6cHa8lhZcIXs22VV8QZ9pbQZnvjSW0QXqpIHm+YRC/qyn+XkYB1FMvTK61UN66yPiOIM/wBrUBNxbFN6LHXRCqQo3U4W8fEOMlbsmCU0gtXmrb361B83DfDkFxo3y7I6j9voHqhVLhW8awfSZ8pJcYBFRyG7HE9m+vdfYKHopb+s+9hDp0U0nYK8SlBXtb+Jbb/NKnJA2zu389dVh5bjnjM/J5pv6bo9Nsfm6GuomFTTXgoxwI5CE11730RmfuzeNoC2qtZ6pWcIQhD4O+VxzZikwh/wd04Y2nNRbRYBkcItWWB+uQvHd/IYX8HQPQV9gNAF/eXEOLpJa4ka9u05kx8/uygcuoXUa45nCz7MpP02gKOTx9kQyyDmvmi38Z3MD0="
+    }
+  }
+}

authentik/sealedsecret-authentik-postgresql-password.yaml

@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "authentik-postgresql-password",
+    "namespace": "authentik",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "authentik-postgresql-password",
+        "namespace": "authentik",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "postgresql-password": "AgAu6ZcMSYcquAY1vI46E7HBfcC5UgnpUinBSZx6zUtCT/1ExxuMQd70vgFhoBiFDP83pzn1e7VvCq4uxp1bnRjYZYx+VjTvnmuk1w9rEiyzFSFpQaKLkH1PDrzIIMr1R/MKWyWIiOnyWagHL4Rw+S/+rub4vfvY0BvZF4zQIwfkZGTXdFn7jl+Uu0zRYhTSv4hNserK70dgiJAfdexqA2p4Gb3Ml1JNqvntbJmwSF6D4BpLw8CzilhNQPwHbamoZk+PrZ43qCjBrHehaxBg10nNyYuvJKDPB872tjyXeRKtTj8xqC/kXj30CK9XOf+mG7BtE2frmorz7ee4FeoYMx03XlriTedGs8lLLarD7iSXgGz35H+61iLcLOKZQDTcUez/RjT4JdZvEZEpNCb6pwzTafwcfo0Z8Wm/Q0vps07xrntG0oLqF8YtjYlWGBnTdOvdHBaP5f0wzdWOhQLOoPyHY5qy3vAnR50gTHEj4cekQ6g1Ghhu3m288mWDxQviUYH33qm26Gijin2jRTRr6TCE/JVrDkDAHHsEjAdB72W4PPIP7keaLh/auCQ0QwvHIq+4cEq67ZLiYnfhoOjq0PYGFGBuQF9DYabktIDXoBS9SVnd7pPqMQkOZ4FQfkajjjtdfH/WYzJDrxkFxfS8Rx1oD3hErk5IZvYoLiOXueH/nCaW3TD98trDZdyQNiRM0yU8H36o0oT5ta7JrLRSVBZcvI1KUj+r90jMm18H3nM="
+    }
+  }
+}

authentik/sealedsecret-authentik-secret-key.yaml

@@ -0,0 +1,21 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "authentik-secret-key",
+    "namespace": "authentik",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "authentik-secret-key",
+        "namespace": "authentik",
+        "creationTimestamp": null
+      }
+    },
+    "encryptedData": {
+      "secret-key": "AgDZN7Hy3vnFapuJ/rqt3r2zEA3ctb/LZqDkGDd+2YnvT8ChWnAbQ4xMXcE1/3VoKD4GuCGpJ7Q0hfQSpDz701v+HoBcKo4oUxuowh4M3IfEixQhjVKHMuTIVnSgO3asFhap8Z1XcrzLc7HPA4AMtUuB7rJcQC11v2QFoyYVPVvvqFYpyQTD0zBZ43nm3SI891flRC6vdgpfNfHn8xaLWxyKaQkflrsGbnOolekZsO0N/2XFVsOtUqpRjjwlclr0CcTGW6EyFlzYK9q/94Yj0Ss0oS68zhjfZM9EPnXl7xDlKXyI33tCpGLtgrqecXwRfKsOU8sKoadeGNgDyTxRAPrr0QomsCu9Uflla7Os+EJ2SmSxDf/6tBsx8Zni9kQ7uuXpUPcD29CqakeTxKu4p77UlCWw9fgdeRmXCiXcYk0FvO1nmpLJRcUGWOrg8VkgSPumaURzyxuegmN2bm/HnJwrLEe5/DQPxSoJgepdc64Np6IRLv6yAvF5+Z4DMwSL4/lZ/4sfE6ZYwYZ8DkO3RJ8sWQ926Ka+tiMDV4xKAYISxlShp0K3bys7r4T8P4u1t89maLr4urjynWHREiIh6ICx5so0eOIXEB9gA89q97ZXG3blbF7IFg45nB2dpfctPkZBqMvSUdZGqAVkp1peRzd0+zpBgKbjeYkwAHEqWfNLRfW8wW9wICDORTLyJ6M+mq+mX3DhKfHe2FQI7x7eHmjoHz7I55/pp+QK05a1B/U="
+    }
+  }
+}

bootstrap/helmrepositories/helmrepository-authentik.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://charts.goauthentik.io/

bootstrap/kustomizations/kustomization-authentik.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 30m
+  path: ./authentik
+  dependsOn:
+  - name: "sealed-secrets"
+  prune: true # remove any elements later removed from the above path
+  timeout: 2m # if not set, this defaults to interval duration, which is 1h
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
+      kind: HelmRelease
+      name: authentik
+      namespace: authentik

bootstrap/namespaces/namespace-authentik.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik