tony/homelab
1
0
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add authentik

Browse Source
This commit is contained in:
Tony Du 2025-02-05 16:26:14 -08:00
parent 43818c79a3
commit 448637fd69
10 changed files with 137 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
README.md
View File

@ -7,7 +7,7 @@
Install dependencies (Arch):
```sh
pacman -Sy opentofu kubectl helm helmfile python
pacman -Sy opentofu kubectl helm helmfile python fluxcd
```
### Promxox
@ -114,17 +114,37 @@ kubectl apply -f proxmox/k8s/examples/001-example.yml
kubectl describe nginx
# Now try checking that the deployment works:
curl http://[allocated-ip]
# Clean it up
kubectl delete -f proxmox/k8s/examples/001-example.yml
```
### Install Helm charts
Lastly, run `kubectl apply -f k8s/pre-infrastructure/dns-config-map.yaml` so
pods in the cluster automatically pick up on the DNS server.
### Set up GitOps
Prerequisites:
- Gitea is set up
- Infisical or some other secrets provider is set up
Follow [the Infisical guide to get a client id and secret](https://infisical.com/docs/documentation/platform/identities/universal-auth).
Use it to apply [a manifest](https://external-secrets.io/latest/provider/infisical/)
**in the `external-secrets` namespace**.
Create a Gitea token with at least enough privileges mentioned in [this guide](https://fluxcd.io/flux/installation/bootstrap/gitea/).
Run the commands below.
```sh
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=$HOME/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
# Assuming from the repo root
cd proxmox/k8s/helmfile
helmfile sync -f proxmox/k8s/helmfile.d
export GITEA_TOKEN=<token>
flux bootstrap gitea \
--owner=tony \
--repository=homelab \
--hostname=https://git.mnke.org \
--token-auth \
--path=k8s/clusters/dolo \
--personal \
--branch=master
```
## Credits

9
k8s/apps/authentik/kustomization.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- repository.yaml
- secret.yaml
- release.yaml

6
k8s/apps/authentik/namespace.yaml Normal file
View File

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: authentik

58
k8s/apps/authentik/release.yaml Normal file
View File

@ -0,0 +1,58 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: authentik
namespace: authentik
spec:
interval: 10m0s
chart:
spec:
chart: authentik
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: authentik
namespace: authentik
valuesFrom:
- kind: Secret
name: authentik-creds
valuesKey: ak-pg-username
targetPath: authentik.postgresql.user
optional: false
- kind: Secret
name: authentik-creds
valuesKey: ak-pg-password
targetPath: authentik.postgresql.password
optional: false
- kind: Secret
name: authentik-creds
valuesKey: ak-secret-key
targetPath: authentik.secret_key
optional: false
values:
authentik:
postgresql:
host: db.home.mnke.org
name: authentik
# user: ""
# password: ""
port: 5432
# secret_key: ""
server:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: le-cf-issuer
kubernetes.io/ingress.class: traefik
hosts:
- authentik.mnke.org
- authentik.dolo.mnke.org
ingressClassName: traefik
postgresql:
enabled: false
redis:
enabled: true

9
k8s/apps/authentik/repository.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: authentik
namespace: authentik
spec:
interval: 10m0s
url: https://charts.goauthentik.io

17
k8s/apps/authentik/secret.yaml Normal file
View File

@ -0,0 +1,17 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-creds
namespace: authentik
spec:
secretStoreRef:
kind: ClusterSecretStore
name: infisical
target:
name: authentik-creds
dataFrom:
- find:
path: ak-

1
k8s/apps/kustomization.yaml
View File

@ -4,3 +4,4 @@ resources:
- kube-prometheus-stack
- uptime-kuma
- rancher
# - authentik

2
k8s/clusters/dolo/apps.yaml
View File

@ -6,7 +6,7 @@ metadata:
namespace: flux-system
spec:
interval: 10m0s
retryInterval: 1m
retryInterval: 30s
dependsOn:
- name: infrastructure
sourceRef:

12
k8s/clusters/dolo/infrastructure.yaml
View File

@ -6,7 +6,7 @@ metadata:
namespace: flux-system
spec:
interval: 1h
retryInterval: 1m
retryInterval: 30s
timeout: 5m
sourceRef:
kind: GitRepository
@ -23,7 +23,7 @@ metadata:
namespace: flux-system
spec:
interval: 1h
retryInterval: 1m
retryInterval: 30s
timeout: 5m
sourceRef:
kind: GitRepository
@ -42,7 +42,7 @@ metadata:
namespace: flux-system
spec:
interval: 1h
retryInterval: 1m
retryInterval: 30s
timeout: 5m
sourceRef:
kind: GitRepository
@ -61,7 +61,7 @@ metadata:
namespace: flux-system
spec:
interval: 1h
retryInterval: 1m
retryInterval: 30s
timeout: 5m
sourceRef:
kind: GitRepository
@ -81,7 +81,7 @@ metadata:
namespace: flux-system
spec:
interval: 1h
retryInterval: 1m
retryInterval: 30s
timeout: 5m
sourceRef:
kind: GitRepository
@ -106,7 +106,7 @@ metadata:
namespace: flux-system
spec:
interval: 1h
retryInterval: 1m
retryInterval: 10s
timeout: 5m
sourceRef:
kind: GitRepository

4
k8s/infrastructure/cert-manager/cluster-issuer.yaml
View File

@ -5,8 +5,8 @@ metadata:
name: le-cf-issuer
spec:
acme:
# server: https://acme-v02.api.letsencrypt.org/directory
server: https://acme-staging-v02.api.letsencrypt.org/directory
server: https://acme-v02.api.letsencrypt.org/directory
# server: https://acme-staging-v02.api.letsencrypt.org/directory
email: tonydu121@hotmail.com
privateKeySecretRef:
name: le-cf-issuer-pk