From 07b3dfb063ef4974af9127f5a62084408ca14e67 Mon Sep 17 00:00:00 2001 From: Tony Du Date: Tue, 11 Feb 2025 12:18:12 -0800 Subject: [PATCH] feat: Add back authentik to k8s --- .gitignore | 3 +- k8s/apps/authentik/kustomization.yaml | 6 ++ k8s/apps/authentik/release.yaml | 60 +++++++++++++++++++ k8s/apps/authentik/secrets.yaml | 17 ++++++ k8s/apps/common/kustomization.yaml | 3 +- k8s/apps/common/repositories/authentik.yaml | 10 ++++ .../bitnami.yaml} | 2 - .../common/repositories/kustomization.yaml | 6 ++ .../external/build/jellyfin-tonydu.yaml | 1 + .../external/build/seerr-tonydu.yaml | 1 + .../external/templater/values.yaml | 2 + .../ingressroutes/middlewares/authentik.yaml | 3 +- .../redirect-tonydu-me-mnke-org.yaml | 1 + k8s/apps/kustomization.yaml | 1 + 14 files changed, 109 insertions(+), 7 deletions(-) create mode 100644 k8s/apps/authentik/kustomization.yaml create mode 100644 k8s/apps/authentik/release.yaml create mode 100644 k8s/apps/authentik/secrets.yaml create mode 100644 k8s/apps/common/repositories/authentik.yaml rename k8s/apps/common/{bitnami-repository.yaml => repositories/bitnami.yaml} (99%) create mode 100644 k8s/apps/common/repositories/kustomization.yaml diff --git a/.gitignore b/.gitignore index 7e36af7..eea8add 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ .env -secrets.yaml -secrets.yml +/secrets.yml venv diff --git a/k8s/apps/authentik/kustomization.yaml b/k8s/apps/authentik/kustomization.yaml new file mode 100644 index 0000000..c0ba20b --- /dev/null +++ b/k8s/apps/authentik/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secrets.yaml + - release.yaml diff --git a/k8s/apps/authentik/release.yaml b/k8s/apps/authentik/release.yaml new file mode 100644 index 0000000..f7ee2d4 --- /dev/null +++ b/k8s/apps/authentik/release.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: authentik + namespace: default +spec: + interval: 10m + releaseName: authentik + targetNamespace: default + chart: + spec: + chart: authentik + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: authentik + namespace: flux-system + valuesFrom: + - kind: Secret + name: authentik-creds + valuesKey: ak-pg-username + targetPath: authentik.postgresql.user + optional: false + - kind: Secret + name: authentik-creds + valuesKey: ak-pg-password + targetPath: authentik.postgresql.password + optional: false + - kind: Secret + name: authentik-creds + valuesKey: ak-secret-key + targetPath: authentik.secret_key + optional: false + values: + authentik: + postgresql: + host: db.home.mnke.org + name: authentik + # user: "" + # password: "" + port: 5432 + # secret_key: "" + + server: + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: le-cf-issuer + kubernetes.io/ingress.class: traefik + hosts: + - authentik.mnke.org + - authentik.dolo.mnke.org + ingressClassName: traefik + + postgresql: + enabled: false + + redis: + enabled: true diff --git a/k8s/apps/authentik/secrets.yaml b/k8s/apps/authentik/secrets.yaml new file mode 100644 index 0000000..7a97bf6 --- /dev/null +++ b/k8s/apps/authentik/secrets.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authentik-creds + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: infisical + + target: + name: authentik-creds + + dataFrom: + - find: + path: ak- diff --git a/k8s/apps/common/kustomization.yaml b/k8s/apps/common/kustomization.yaml index 2b90248..b25d211 100644 --- a/k8s/apps/common/kustomization.yaml +++ b/k8s/apps/common/kustomization.yaml @@ -2,5 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - bitnami-repository.yaml - - middlewares + - repositories diff --git a/k8s/apps/common/repositories/authentik.yaml b/k8s/apps/common/repositories/authentik.yaml new file mode 100644 index 0000000..d0461e3 --- /dev/null +++ b/k8s/apps/common/repositories/authentik.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: authentik + namespace: flux-system +spec: + interval: 5m + url: https://charts.goauthentik.io + diff --git a/k8s/apps/common/bitnami-repository.yaml b/k8s/apps/common/repositories/bitnami.yaml similarity index 99% rename from k8s/apps/common/bitnami-repository.yaml rename to k8s/apps/common/repositories/bitnami.yaml index 2236919..02e10ae 100644 --- a/k8s/apps/common/bitnami-repository.yaml +++ b/k8s/apps/common/repositories/bitnami.yaml @@ -8,5 +8,3 @@ spec: type: "oci" interval: 5m url: oci://registry-1.docker.io/bitnamicharts - - diff --git a/k8s/apps/common/repositories/kustomization.yaml b/k8s/apps/common/repositories/kustomization.yaml new file mode 100644 index 0000000..a609b94 --- /dev/null +++ b/k8s/apps/common/repositories/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - bitnami.yaml + - authentik.yaml diff --git a/k8s/apps/ingressroutes/external/build/jellyfin-tonydu.yaml b/k8s/apps/ingressroutes/external/build/jellyfin-tonydu.yaml index 4b211f5..f792f56 100644 --- a/k8s/apps/ingressroutes/external/build/jellyfin-tonydu.yaml +++ b/k8s/apps/ingressroutes/external/build/jellyfin-tonydu.yaml @@ -28,6 +28,7 @@ spec: kind: Rule middlewares: - name: redirect-tonydu-me-mnke-org + namespace: default services: - kind: Service name: jellyfin-tonydu-external diff --git a/k8s/apps/ingressroutes/external/build/seerr-tonydu.yaml b/k8s/apps/ingressroutes/external/build/seerr-tonydu.yaml index 9ae663f..8544400 100644 --- a/k8s/apps/ingressroutes/external/build/seerr-tonydu.yaml +++ b/k8s/apps/ingressroutes/external/build/seerr-tonydu.yaml @@ -28,6 +28,7 @@ spec: kind: Rule middlewares: - name: redirect-tonydu-me-mnke-org + namespace: default services: - kind: Service name: seerr-tonydu-external diff --git a/k8s/apps/ingressroutes/external/templater/values.yaml b/k8s/apps/ingressroutes/external/templater/values.yaml index 67cf98c..420fbe8 100644 --- a/k8s/apps/ingressroutes/external/templater/values.yaml +++ b/k8s/apps/ingressroutes/external/templater/values.yaml @@ -22,6 +22,7 @@ proxies: listen_host: media.tonydu.me middlewares: - name: redirect-tonydu-me-mnke-org + namespace: default - <<: *seerr service_name: seerr-mnke @@ -34,4 +35,5 @@ proxies: listen_host: seerr.tonydu.me middlewares: - name: redirect-tonydu-me-mnke-org + namespace: default diff --git a/k8s/apps/ingressroutes/middlewares/authentik.yaml b/k8s/apps/ingressroutes/middlewares/authentik.yaml index ac7e291..a850c9f 100644 --- a/k8s/apps/ingressroutes/middlewares/authentik.yaml +++ b/k8s/apps/ingressroutes/middlewares/authentik.yaml @@ -2,9 +2,10 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: authentik + namespace: default spec: forwardAuth: - address: https://authentik.mnke.org/auth/traefik + address: http://ak-outpost-domain-forward-auth-provider.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik trustForwardHeader: true authResponseHeaders: - X-authentik-username diff --git a/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml b/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml index 1ff0eea..5907c3a 100644 --- a/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml +++ b/k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml @@ -3,6 +3,7 @@ apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: redirect-tonydu-me-mnke-org + namespace: default spec: redirectRegex: permanent: false diff --git a/k8s/apps/kustomization.yaml b/k8s/apps/kustomization.yaml index 2ec704d..2b73fc3 100644 --- a/k8s/apps/kustomization.yaml +++ b/k8s/apps/kustomization.yaml @@ -5,4 +5,5 @@ resources: - common - uptime-kuma - ghost + - authentik - ingressroutes