feat: Add back authentik to k8s

2025-02-11 12:18:12 -08:00 · 2025-02-11 12:18:12 -08:00 · 07b3dfb063
commit 07b3dfb063
parent d76acef206
14 changed files with 109 additions and 7 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,3 @@
 .env
-secrets.yaml
-secrets.yml
+/secrets.yml
 venv
--- a/k8s/apps/authentik/kustomization.yaml
+++ b/k8s/apps/authentik/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - secrets.yaml
+  - release.yaml
--- a/k8s/apps/authentik/release.yaml
+++ b/k8s/apps/authentik/release.yaml
@ -0,0 +1,60 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+  namespace: default
+spec:
+  interval: 10m
+  releaseName: authentik
+  targetNamespace: default
+  chart:
+    spec:
+      chart: authentik
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: authentik
+        namespace: flux-system
+  valuesFrom:
+    - kind: Secret
+      name: authentik-creds
+      valuesKey: ak-pg-username
+      targetPath: authentik.postgresql.user
+      optional: false
+    - kind: Secret
+      name: authentik-creds
+      valuesKey: ak-pg-password
+      targetPath: authentik.postgresql.password
+      optional: false
+    - kind: Secret
+      name: authentik-creds
+      valuesKey: ak-secret-key
+      targetPath: authentik.secret_key
+      optional: false
+  values:
+    authentik:
+      postgresql:
+        host: db.home.mnke.org
+        name: authentik
+        # user: ""
+        # password: ""
+        port: 5432
+      # secret_key: ""
+
+    server:
+      ingress:
+        enabled: true
+        annotations:
+          cert-manager.io/cluster-issuer: le-cf-issuer
+          kubernetes.io/ingress.class: traefik
+        hosts:
+          - authentik.mnke.org
+          - authentik.dolo.mnke.org
+        ingressClassName: traefik
+
+    postgresql:
+      enabled: false
+
+    redis:
+      enabled: true
--- a/k8s/apps/authentik/secrets.yaml
+++ b/k8s/apps/authentik/secrets.yaml
@ -0,0 +1,17 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-creds
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+
+  target:
+    name: authentik-creds
+
+  dataFrom:
+    - find:
+        path: ak-
--- a/k8s/apps/common/kustomization.yaml
+++ b/k8s/apps/common/kustomization.yaml
@ -2,5 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - bitnami-repository.yaml
-  - middlewares
+  - repositories
--- a/k8s/apps/common/repositories/authentik.yaml
+++ b/k8s/apps/common/repositories/authentik.yaml
@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authentik
+  namespace: flux-system
+spec:
+  interval: 5m
+  url: https://charts.goauthentik.io
+
--- a/k8s/apps/common/repositories/bitnami.yaml
+++ b/k8s/apps/common/repositories/bitnami.yaml
@ -8,5 +8,3 @@ spec:
  type: "oci"
  interval: 5m
  url: oci://registry-1.docker.io/bitnamicharts
-
-
--- a/k8s/apps/common/repositories/kustomization.yaml
+++ b/k8s/apps/common/repositories/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - bitnami.yaml
+  - authentik.yaml
--- a/k8s/apps/ingressroutes/external/build/jellyfin-tonydu.yaml
+++ b/k8s/apps/ingressroutes/external/build/jellyfin-tonydu.yaml
@ -28,6 +28,7 @@ spec:
      kind: Rule
      middlewares:
        - name: redirect-tonydu-me-mnke-org
+          namespace: default
      services:
        - kind: Service
          name: jellyfin-tonydu-external
--- a/k8s/apps/ingressroutes/external/build/seerr-tonydu.yaml
+++ b/k8s/apps/ingressroutes/external/build/seerr-tonydu.yaml
@ -28,6 +28,7 @@ spec:
      kind: Rule
      middlewares:
        - name: redirect-tonydu-me-mnke-org
+          namespace: default
      services:
        - kind: Service
          name: seerr-tonydu-external
--- a/k8s/apps/ingressroutes/external/templater/values.yaml
+++ b/k8s/apps/ingressroutes/external/templater/values.yaml
@ -22,6 +22,7 @@ proxies:
    listen_host: media.tonydu.me
    middlewares:
      - name: redirect-tonydu-me-mnke-org
+        namespace: default

  - <<: *seerr
    service_name: seerr-mnke
@ -34,4 +35,5 @@ proxies:
    listen_host: seerr.tonydu.me
    middlewares:
      - name: redirect-tonydu-me-mnke-org
+        namespace: default

--- a/k8s/apps/ingressroutes/middlewares/authentik.yaml
+++ b/k8s/apps/ingressroutes/middlewares/authentik.yaml
@ -2,9 +2,10 @@ apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
    name: authentik
+    namespace: default
 spec:
    forwardAuth:
-        address: https://authentik.mnke.org/auth/traefik
+        address: http://ak-outpost-domain-forward-auth-provider.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
        trustForwardHeader: true
        authResponseHeaders:
            - X-authentik-username
--- a/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml
+++ b/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml
@ -3,6 +3,7 @@ apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: redirect-tonydu-me-mnke-org
+  namespace: default
 spec:
  redirectRegex:
    permanent: false
--- a/k8s/apps/kustomization.yaml
+++ b/k8s/apps/kustomization.yaml
@ -5,4 +5,5 @@ resources:
  - common
  - uptime-kuma
  - ghost
+  - authentik
  - ingressroutes