tony/homelab
1
0
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add back authentik to k8s

Browse Source
This commit is contained in:
Tony Du 2025-02-11 12:18:12 -08:00
parent d76acef206
commit 07b3dfb063
14 changed files with 109 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,4 +1,3 @@
.env .env
secrets.yaml /secrets.yml
secrets.yml
venv venv

6
k8s/apps/authentik/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secrets.yaml
- release.yaml

60
k8s/apps/authentik/release.yaml Normal file
View File

@ -0,0 +1,60 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: authentik
namespace: default
spec:
interval: 10m
releaseName: authentik
targetNamespace: default
chart:
spec:
chart: authentik
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: authentik
namespace: flux-system
valuesFrom:
- kind: Secret
name: authentik-creds
valuesKey: ak-pg-username
targetPath: authentik.postgresql.user
optional: false
- kind: Secret
name: authentik-creds
valuesKey: ak-pg-password
targetPath: authentik.postgresql.password
optional: false
- kind: Secret
name: authentik-creds
valuesKey: ak-secret-key
targetPath: authentik.secret_key
optional: false
values:
authentik:
postgresql:
host: db.home.mnke.org
name: authentik
# user: ""
# password: ""
port: 5432
# secret_key: ""
server:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: le-cf-issuer
kubernetes.io/ingress.class: traefik
hosts:
- authentik.mnke.org
- authentik.dolo.mnke.org
ingressClassName: traefik
postgresql:
enabled: false
redis:
enabled: true

17
k8s/apps/authentik/secrets.yaml Normal file
View File

@ -0,0 +1,17 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-creds
namespace: default
spec:
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: authentik-creds
dataFrom:
- find:
path: ak-

3
k8s/apps/common/kustomization.yaml
View File

@ -2,5 +2,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- bitnami-repository.yaml - repositories
- middlewares

10
k8s/apps/common/repositories/authentik.yaml Normal file
View File

@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: authentik
namespace: flux-system
spec:
interval: 5m
url: https://charts.goauthentik.io

2
k8s/apps/common/bitnami-repository.yaml → k8s/apps/common/repositories/bitnami.yaml
View File

@ -8,5 +8,3 @@ spec:
type: "oci" type: "oci"
interval: 5m interval: 5m
url: oci://registry-1.docker.io/bitnamicharts url: oci://registry-1.docker.io/bitnamicharts

6
k8s/apps/common/repositories/kustomization.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- bitnami.yaml
- authentik.yaml

1
k8s/apps/ingressroutes/external/build/jellyfin-tonydu.yaml vendored
View File

@ -28,6 +28,7 @@ spec:
kind: Rule kind: Rule
middlewares: middlewares:
- name: redirect-tonydu-me-mnke-org - name: redirect-tonydu-me-mnke-org
namespace: default
services: services:
- kind: Service - kind: Service
name: jellyfin-tonydu-external name: jellyfin-tonydu-external

1
k8s/apps/ingressroutes/external/build/seerr-tonydu.yaml vendored
View File

@ -28,6 +28,7 @@ spec:
kind: Rule kind: Rule
middlewares: middlewares:
- name: redirect-tonydu-me-mnke-org - name: redirect-tonydu-me-mnke-org
namespace: default
services: services:
- kind: Service - kind: Service
name: seerr-tonydu-external name: seerr-tonydu-external

2
k8s/apps/ingressroutes/external/templater/values.yaml vendored
View File

@ -22,6 +22,7 @@ proxies:
listen_host: media.tonydu.me listen_host: media.tonydu.me
middlewares: middlewares:
- name: redirect-tonydu-me-mnke-org - name: redirect-tonydu-me-mnke-org
namespace: default
- <<: *seerr - <<: *seerr
service_name: seerr-mnke service_name: seerr-mnke
@ -34,4 +35,5 @@ proxies:
listen_host: seerr.tonydu.me listen_host: seerr.tonydu.me
middlewares: middlewares:
- name: redirect-tonydu-me-mnke-org - name: redirect-tonydu-me-mnke-org
namespace: default

3
k8s/apps/ingressroutes/middlewares/authentik.yaml
View File

@ -2,9 +2,10 @@ apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware
metadata: metadata:
name: authentik name: authentik
namespace: default
spec: spec:
forwardAuth: forwardAuth:
address: https://authentik.mnke.org/auth/traefik address: http://ak-outpost-domain-forward-auth-provider.default.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true trustForwardHeader: true
authResponseHeaders: authResponseHeaders:
- X-authentik-username - X-authentik-username

1
k8s/apps/ingressroutes/middlewares/redirect-tonydu-me-mnke-org.yaml
View File

@ -3,6 +3,7 @@ apiVersion: traefik.io/v1alpha1
kind: Middleware kind: Middleware
metadata: metadata:
name: redirect-tonydu-me-mnke-org name: redirect-tonydu-me-mnke-org
namespace: default
spec: spec:
redirectRegex: redirectRegex:
permanent: false permanent: false

1
k8s/apps/kustomization.yaml
View File

@ -5,4 +5,5 @@ resources:
- common - common
- uptime-kuma - uptime-kuma
- ghost - ghost
- authentik
- ingressroutes - ingressroutes