github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 10:18:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(authentik): app-template (#894)

Browse Source 
* feat(authentik): app-template

* feat(authentik): app-template

* feat(authentik): app-template

* feat(authentik): app-template

* feat(authentik): app-template

* feat(authentik): app-template

* feat(authentik): app-template

* feat(authentik): app-template
This commit is contained in:
JJGadgets
2024-05-18 04:50:51 +08:00
committed by GitHub
parent e9a0cf3a81
commit 0475eb3bb2
15 changed files with 416 additions and 447 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
kube/deploy/apps/authentik/app/es.yaml Normal file
View File

@@ -0,0 +1,54 @@
---
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: &name authentik-secrets
namespace: authentik
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: 1p
dataFrom:
- extract:
key: "authentik - ${CLUSTER_NAME}"
target:
creationPolicy: Owner
deletionPolicy: Retain
name: *name
template:
type: "Opaque"
data:
AUTHENTIK_SECRET_KEY: '{{ .AUTHENTIK_SECRET_KEY }}'
AUTHENTIK_REDIS__PASSWORD: '{{ .AUTHENTIK_REDIS__PASSWORD }}'
AUTHENTIK_EMAIL__FROM: '{{ .AUTHENTIK_EMAIL__FROM }}'
AUTHENTIK_EMAIL__HOST: '{{ .AUTHENTIK_EMAIL__HOST }}'
AUTHENTIK_EMAIL__PORT: '{{ .AUTHENTIK_EMAIL__PORT }}'
AUTHENTIK_EMAIL__USE_TLS: '{{ .AUTHENTIK_EMAIL__USE_TLS }}'
AUTHENTIK_EMAIL__USE_SSL: '{{ .AUTHENTIK_EMAIL__USE_SSL }}'
AUTHENTIK_EMAIL__USERNAME: '{{ .AUTHENTIK_EMAIL__USERNAME }}'
AUTHENTIK_EMAIL__PASSWORD: '{{ .AUTHENTIK_EMAIL__PASSWORD }}'
---
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: &name authentik-ldap
namespace: authentik
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: 1p
dataFrom:
- extract:
key: "authentik - ${CLUSTER_NAME}"
target:
creationPolicy: Owner
deletionPolicy: Retain
name: *name
template:
type: "Opaque"
data:
AUTHENTIK_TOKEN: '{{ .AUTHENTIK_TOKEN }}'

426
kube/deploy/apps/authentik/app/hr.yaml
View File

@@ -5,127 +5,319 @@ metadata:
name: &app authentik
namespace: *app
spec:
interval: 5m
chart:
spec:
chart: *app
version: &vers 2023.10.7
chart: app-template
version: 3.1.0
sourceRef:
name: *app
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
image:
repository: "ghcr.io/goauthentik/server"
tag: "2023.10.7" # specify image tag for Renovate to pull changelogs & security info, and for security releases without a chart release
#digest: "sha256:8ebdd51a95d3efdcb0cf3b26ed849cc0f9a8c032adb8cd595cabb59a1f321161" # TODO: apparently Renovate doesn't see this as a digest?
pullPolicy: IfNotPresent
# server is in active-active, 3 replicas seems to confuse authentik
replicas: 2
worker:
# workers don't need leader election, thus any size works
replicas: 2
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
service:
port: 9000
ingress:
enabled: true
ingressClassName: "nginx-external"
annotations:
external-dns.alpha.kubernetes.io/target: "${DNS_CF}"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
# WebSockets (used for frontend to backend connection)
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: &host "${APP_DNS_AUTH}"
paths:
- path: "/"
pathType: Prefix
tls:
- hosts:
- *host
secretName: authentik-tls
volumes:
- name: authentik-tls
secret:
secretName: authentik-tls
optional: false
items:
- key: tls.crt
path: fullchain.pem
- key: tls.key
path: privkey.pem
volumeMounts:
- name: authentik-tls
mountPath: /certs/${APP_DNS_AUTH}-k8s
readOnly: true
authentik:
log_level: debug
secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
email:
host: "${SECRET_AUTHENTIK_SMTP_HOST}"
port: 587
username: "${SECRET_AUTHENTIK_SMTP_USERNAME}"
password: "${SECRET_AUTHENTIK_SMTP_PASSWORD}"
use_tls: true
from: "${SECRET_AUTHENTIK_SMTP_FROM}"
outposts:
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
error_reporting:
enabled: false
send_pii: false
postgresql:
enabled: false
host: 'pg-authentik-primary.authentik.svc.cluster.local'
port: 5432
name: ""
user: ""
password: ""
controllers:
authentik:
type: deployment
replicas: 2
strategy: RollingUpdate
rollingUpdate:
unavailable: "90%"
pod:
labels:
ingress.home.arpa/nginx-external: allow
ingress.home.arpa/nginx-internal: allow
ingress.home.arpa/nginx-public: allow
egress.home.arpa/nginx-external: allow
egress.home.arpa/nginx-internal: allow
egress.home.arpa/nginx-public: allow
db.home.arpa/pg: pg-authentik
s3.home.arpa/store: "rgw-${CLUSTER_NAME}"
prom.home.arpa/kps: allow
topologySpreadConstraints:
- &tsc
maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
app.kubernetes.io/component: *app
containers:
main:
image: &img
repository: ghcr.io/goauthentik/server
tag: 2023.10.7
args: [server]
env: &env
TZ: "${CONFIG_TZ}"
AUTHENTIK_POSTGRESQL__HOST:
valueFrom:
secretKeyRef:
name: pg-authentik-pguser-authentik
key: pgbouncer-host
AUTHENTIK_POSTGRESQL__PORT:
valueFrom:
secretKeyRef:
name: pg-authentik-pguser-authentik
key: pgbouncer-port
AUTHENTIK_POSTGRESQL__NAME:
valueFrom:
secretKeyRef:
name: pg-authentik-pguser-authentik
key: dbname
AUTHENTIK_POSTGRESQL__USER:
valueFrom:
secretKeyRef:
name: pg-authentik-pguser-authentik
key: user
AUTHENTIK_POSTGRESQL__PASSWORD:
valueFrom:
secretKeyRef:
name: pg-authentik-pguser-authentik
key: password
AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: "true"
AUTHENTIK_POSTGRESQL__SSLMODE: verify-ca
AUTHENTIK_POSTGRESQL__SSLROOTCERT: &pgca /secrets/pg/ca.crt
AUTHENTIK_REDIS__HOST: authentik-redis.authentik.svc.cluster.local.
AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: "${IP_POD_CIDR_V4}"
AUTHENTIK_ERROR_REPORTING__ENABLED: "false"
AUTHENTIK_ERROR_REPORTING__SEND_PII: "false"
envFrom: &envFrom
- secretRef:
name: authentik-secrets
securityContext: &sc
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: "10m"
memory: "128Mi"
limits:
cpu: "1000m"
memory: "2Gi"
probes:
liveness:
enabled: true
readiness:
enabled: true
worker:
type: deployment
replicas: 3
pod:
labels:
db.home.arpa/pg: pg-authentik
s3.home.arpa/store: "rgw-${CLUSTER_NAME}"
authentik.home.arpa/https: allow
prom.home.arpa/kps: allow
# egress.home.arpa/internet: allow
topologySpreadConstraints:
- <<: *tsc
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
app.kubernetes.io/component: worker
containers:
main:
image: *img
args: [worker]
env: *env
envFrom: *envFrom
securityContext: *sc
resources:
requests:
cpu: "10m"
memory: "128Mi"
limits:
cpu: "1000m"
memory: "4Gi"
probes:
liveness:
enabled: true
readiness:
enabled: true
ldap:
type: deployment
replicas: 3
pod:
labels:
authentik.home.arpa/https: allow
topologySpreadConstraints:
- <<: *tsc
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
app.kubernetes.io/component: ldap
containers:
main:
image:
<<: *img
repository: ghcr.io/goauthentik/ldap
tag: 2023.10.7@sha256:c483b0adf9a2123ab3d0498450d3d0f91344c97248dba789a4f80fdd3f6eb213
env:
AUTHENTIK_HOST: "${APP_DNS_AUTHENTIK}"
AUTHENTIK_TOKEN:
valueFrom:
secretKeyRef:
name: authentik-ldap
key: token
securityContext: *sc
resources:
requests:
cpu: "10m"
memory: "128Mi"
limits:
cpu: "1000m"
memory: "4Gi"
probes:
liveness:
enabled: true
readiness:
enabled: true
redis:
host: "authentik-redis.authentik.svc.cluster.local"
password: ""
envValueFrom:
AUTHENTIK_POSTGRESQL__NAME:
secretKeyRef:
name: &pgsec pg-authentik-pguser-authentik
key: dbname
AUTHENTIK_POSTGRESQL__USER:
secretKeyRef:
name: *pgsec
key: user
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
name: *pgsec
key: password
AUTHENTIK_REDIS__PASSWORD:
secretKeyRef:
name: authentik-redis
key: password
redis:
enabled: false
blueprints: []
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: fuckoff.home.arpa/home-assistant
operator: DoesNotExist
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
app.kubernetes.io/component: server
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
app.kubernetes.io/component: worker
type: deployment
replicas: 1
containers:
redis:
image:
repository: "public.ecr.aws/docker/library/redis"
tag: "7.2.4@sha256:f14f42fc7e824b93c0e2fe3cdf42f68197ee0311c3d2e0235be37480b2e208e6"
command: ["redis-server", "--save", "''", "--appendonly", "no", "--requirepass", "$(AUTHENTIK_REDIS__PASSWORD)"] # save and appendonly options forcibly disable RDB and AOF persistence entirely
envFrom: *envFrom
securityContext: *sc
resources:
requests:
cpu: "10m"
memory: "32Mi"
limits:
cpu: "1000m"
memory: "512Mi"
service:
authentik:
controller: authentik
ports:
http: &port
port: 9000
protocol: HTTP
appProtocol: http
http-80:
<<: *port
port: 80
targetPort: 9000
metrics:
<<: *port
port: 9300
redis:
primary: false
controller: redis
ports:
redis:
port: 6379
expose:
primary: false
controller: authentik
type: LoadBalancer
annotations:
io.cilium/internal: "true"
io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK}"
ports:
http:
port: 443
targetPort: 9443
protocol: HTTPS
appProtocol: https
ldap:
primary: false
controller: ldap
type: LoadBalancer
annotations:
coredns.io/hostname: "${APP_DNS_AUTHENTIK_LDAP}"
io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK_LDAP}"
ports:
ldap-tcp: &ldap
port: 389
targetPort: 3389
protocol: TCP
ldap-udp:
<<: *ldap
protocol: UDP
ldaps-tcp: &ldaps
port: 636
targetPort: 6636
protocol: TCP
ldaps-udp:
<<: *ldaps
protocol: UDP
ingress:
main:
className: nginx-external
annotations:
external-dns.alpha.kubernetes.io/target: "${DNS_CF}"
external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
hosts:
- host: &host "${APP_DNS_AUTHENTIK}"
paths: &paths
- path: /
pathType: Prefix
service:
identifier: authentik
port: http
tls:
- hosts: [*host]
secretName: authentik-tls
persistence:
pg-ca:
type: secret
name: pg-home-ca
defaultMode: 0400
globalMounts:
- subPath: ca.crt
path: *pgca
tls:
type: secret
name: authentik-tls
defaultMode: 0400
globalMounts:
- path: "/certs/${APP_DNS_AUTHENTIK}-k8s"
defaultPodOptions:
automountServiceAccountToken: false
enableServiceLinks: false
hostAliases:
- ip: "${APP_IP_AUTHENTIK}"
hostnames: ["${APP_DNS_AUTHENTIK}"]
securityContext:
runAsNonRoot: true
runAsUser: &uid 1000
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
seccompProfile: { type: "RuntimeDefault" }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: fuckoff.home.arpa/authentik
operator: DoesNotExist
networkpolicies:
same-ns:
podSelector: {}
policyTypes: [Ingress, Egress]
rules:
ingress: [from: [{podSelector: {}}]]
egress: [to: [{podSelector: {}}]]
vm-ad:
controller: worker
policyTypes: [Egress]
rules:
egress: [to: [{ipBlock: {cidr: "${IP_AD_CIDR}"}}]]
serviceMonitor:
authentik:
serviceName: authentik
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 1m
scrapeTimeout: 30s

27
kube/deploy/apps/authentik/app/ingress.yaml
View File

@@ -1,27 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authentik-cilium
namespace: authentik
annotations:
ingress.cilium.io/websocket: "enabled"
ingress.cilium.io/service-type: "LoadBalancer"
ingress.cilium.io/loadbalancer-mode: "dedicated"
io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK_INGRESS}"
spec:
ingressClassName: "cilium"
rules:
- host: &host "2${APP_DNS_AUTHENTIK}"
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: authentik
port:
name: http
tls:
- hosts:
- *host

59
kube/deploy/apps/authentik/app/netpol.yaml
View File

@@ -8,15 +8,6 @@ metadata:
spec:
endpointSelector: {}
ingress:
# same namespace
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# ingress controller
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress
app.kubernetes.io/name: ingress-nginx
# allow HTTPS traffic in-cluster
- fromEndpoints:
- matchLabels:
@@ -32,11 +23,6 @@ spec:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# allow all ingress-nginx
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress
app.kubernetes.io/name: ingress-nginx
# allow Duo
- toFQDNs:
- matchPattern: "api-*.duosecurity.com"
@@ -64,8 +50,49 @@ spec:
- matchLabels:
io.kubernetes.pod.namespace: authentik
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: authentik
app.kubernetes.io/component: server
app.kubernetes.io/component: authentik
toPorts:
- ports:
- port: "9443"
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: authentik-ldap
namespace: &app authentik
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: *app
app.kubernetes.io/component: ldap
ingress:
# allow LDAP traffic
- fromEndpoints:
- matchLabels:
authentik.home.arpa/ldap: allow
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists
toPorts:
- ports:
- port: "6636"
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: &app authentik-ldap
spec:
endpointSelector:
matchLabels:
authentik.home.arpa/ldap: allow
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: authentik
app.kubernetes.io/name: *app
app.kubernetes.io/component: ldap
toPorts:
- ports:
- port: "6636"

11
kube/deploy/apps/authentik/app/pg-superuser.yaml
View File

@@ -1,11 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: pg-authentik-superuser
namespace: authentik
type: Opaque
stringData:
# username MUST BE 'postgres'!
username: postgres
password: "${SECRET_AUTHENTIK_PG_SUPER_PASS}"

22
kube/deploy/apps/authentik/app/svc.yaml
View File

@@ -1,22 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: authentik-https-in-cluster
namespace: authentik
annotations:
# this is for in-cluster apps only, DNS is configured via hostAliases
io.cilium/internal: "true"
io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK}"
spec:
type: LoadBalancer
selector:
app.kubernetes.io/name: authentik
app.kubernetes.io/instance: authentik
app.kubernetes.io/component: server
ports:
- name: https
port: 443
targetPort: 9443
protocol: TCP
allocateLoadBalancerNodePorts: false

40
kube/deploy/apps/authentik/ks.yaml
View File

@@ -4,27 +4,15 @@ kind: Kustomization
metadata:
name: authentik-app
namespace: flux-system
labels: &l
app.kubernetes.io/name: "authentik"
spec:
commonMetadata:
labels: *l
path: ./kube/deploy/apps/authentik/app
targetNamespace: "authentik"
dependsOn:
- name: 1-core-ingress-nginx-app
- name: authentik-redis
- name: authentik-db
healthChecks:
- name: authentik
namespace: authentik
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: authentik-ldap
namespace: flux-system
spec:
path: ./kube/deploy/apps/authentik/ldap
dependsOn:
- name: authentik-app
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
@@ -47,21 +35,3 @@ spec:
PG_SC: "local"
PG_CONFIG_VERSION: "15.2-11"
PG_CONFIG_SIZE: "20Gi"
# healthChecks:
# - name: pg-authentik-s3
# namespace: authentik
# kind: ObjectBucketClaim
# apiVersion: objectbucket.io/v1alpha1
# - name: pg-authentik
# namespace: authentik
# kind: Cluster
# apiVersion: postgresql.cnpg.io/v1
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: authentik-redis
namespace: flux-system
spec:
path: ./kube/deploy/apps/authentik/redis
dependsOn: []

1
kube/deploy/apps/authentik/kustomization.yaml
View File

@@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
- repo.yaml
- ks.yaml

85
kube/deploy/apps/authentik/ldap/hr.yaml
View File

@@ -1,85 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app authentik-ldap
namespace: authentik
spec:
chart:
spec:
chart: app-template
version: 1.5.1
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
global:
fullnameOverride: *app
automountServiceAccountToken: false
controller:
type: deployment
replicas: 2
image:
repository: ghcr.io/goauthentik/ldap
tag: "2023.10.7@sha256:c483b0adf9a2123ab3d0498450d3d0f91344c97248dba789a4f80fdd3f6eb213"
podLabels:
egress.home.arpa/nginx-external: "allow"
env:
TZ: "${CONFIG_TZ}"
AUTHENTIK_HOST: "https://${APP_DNS_AUTH}"
AUTHENTIK_TOKEN:
valueFrom:
secretKeyRef:
name: authentik-ldap
key: token
service:
main:
enabled: true
type: LoadBalancer
externalTrafficPolicy: Cluster
annotations:
coredns.io/hostname: "${APP_DNS_AUTHENTIK_LDAP}"
"io.cilium/lb-ipam-ips": "${APP_IP_AUTHENTIK_LDAP}"
ports:
http:
enabled: false
ldap-tcp:
enabled: true
port: 389
targetPort: 3389
protocol: TCP
ldap-udp:
enabled: true
port: 389
targetPort: 3389
protocol: UDP
ldaps-tcp:
enabled: true
port: 636
targetPort: 6636
protocol: TCP
ldaps-udp:
enabled: true
port: 636
targetPort: 6636
protocol: UDP
podSecurityContext:
runAsUser: &uid ${APP_UID_AUTHENTIK_LDAP}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
resources:
requests:
cpu: 10m
memory: 128Mi
limits:
memory: 6000Mi
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: "DoNotSchedule"
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app

56
kube/deploy/apps/authentik/ldap/netpol.yaml
View File

@@ -1,56 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: &app authentik-ldap
namespace: authentik
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: *app
ingress:
# same namespace
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# allow LDAP traffic
- fromEndpoints:
- matchLabels:
authentik.home.arpa/ldap: allow
matchExpressions:
- key: io.kubernetes.pod.namespace
operator: Exists
toPorts:
- ports:
- port: "6636"
egress:
# same namespace
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# allow ingress-nginx
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: &app authentik-ldap
spec:
endpointSelector:
matchLabels:
authentik.home.arpa/ldap: allow
egress:
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: authentik
app.kubernetes.io/name: *app
toPorts:
- ports:
- port: "6636"

9
kube/deploy/apps/authentik/ldap/secret.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-ldap
namespace: authentik
type: Opaque
stringData:
token: "${SECRET_AUTHENTIK_LDAP_TOKEN}"

5
kube/deploy/apps/authentik/ns.yaml
View File

@@ -3,3 +3,8 @@ apiVersion: v1
kind: Namespace
metadata:
name: authentik
labels:
kustomize.toolkit.fluxcd.io/prune: disabled
pod-security.kubernetes.io/enforce: &ps restricted
pod-security.kubernetes.io/audit: *ps
pod-security.kubernetes.io/warn: *ps

49
kube/deploy/apps/authentik/redis/hr.yaml
View File

@@ -1,49 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app authentik-redis
namespace: authentik
spec:
chart:
spec:
chart: app-template
version: 1.5.1
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
global:
fullnameOverride: *app
automountServiceAccountToken: false
controller:
type: deployment
replicas: 1
image:
repository: public.ecr.aws/docker/library/redis
tag: 7.0.11-bullseye
command:
- sh
args:
- -c
- >-
redis-server --requirepass $REDIS_PASSWORD
env:
REDIS_PORT: "6379"
REDIS_PASSWORD:
valueFrom:
secretKeyRef:
name: authentik-redis
key: password
service:
main:
ports:
http:
port: 6379
resources:
requests:
cpu: 10m
memory: 204Mi
limits:
memory: 512Mi

9
kube/deploy/apps/authentik/redis/secret-redis.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-redis
namespace: authentik
type: Opaque
stringData:
password: "${SECRET_AUTHENTIK_REDIS_PASSWORD}"

10
kube/deploy/apps/authentik/repo.yaml
View File

@@ -1,10 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: authentik
namespace: flux-system
spec:
interval: 10m0s
timeout: 3m0s
url: https://charts.goauthentik.io/