From 0475eb3bb2bc0ba49162dafc5b5357b8b0001f91 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Sat, 18 May 2024 04:50:51 +0800 Subject: [PATCH] feat(authentik): app-template (#894) * feat(authentik): app-template * feat(authentik): app-template * feat(authentik): app-template * feat(authentik): app-template * feat(authentik): app-template * feat(authentik): app-template * feat(authentik): app-template * feat(authentik): app-template --- kube/deploy/apps/authentik/app/es.yaml | 54 +++ kube/deploy/apps/authentik/app/hr.yaml | 426 +++++++++++++----- kube/deploy/apps/authentik/app/ingress.yaml | 27 -- kube/deploy/apps/authentik/app/netpol.yaml | 59 ++- .../apps/authentik/app/pg-superuser.yaml | 11 - kube/deploy/apps/authentik/app/svc.yaml | 22 - kube/deploy/apps/authentik/ks.yaml | 40 +- kube/deploy/apps/authentik/kustomization.yaml | 1 - kube/deploy/apps/authentik/ldap/hr.yaml | 85 ---- kube/deploy/apps/authentik/ldap/netpol.yaml | 56 --- kube/deploy/apps/authentik/ldap/secret.yaml | 9 - kube/deploy/apps/authentik/ns.yaml | 5 + kube/deploy/apps/authentik/redis/hr.yaml | 49 -- .../apps/authentik/redis/secret-redis.yaml | 9 - kube/deploy/apps/authentik/repo.yaml | 10 - 15 files changed, 416 insertions(+), 447 deletions(-) create mode 100644 kube/deploy/apps/authentik/app/es.yaml delete mode 100644 kube/deploy/apps/authentik/app/ingress.yaml delete mode 100644 kube/deploy/apps/authentik/app/pg-superuser.yaml delete mode 100644 kube/deploy/apps/authentik/app/svc.yaml delete mode 100644 kube/deploy/apps/authentik/ldap/hr.yaml delete mode 100644 kube/deploy/apps/authentik/ldap/netpol.yaml delete mode 100644 kube/deploy/apps/authentik/ldap/secret.yaml delete mode 100644 kube/deploy/apps/authentik/redis/hr.yaml delete mode 100644 kube/deploy/apps/authentik/redis/secret-redis.yaml delete mode 100644 kube/deploy/apps/authentik/repo.yaml diff --git a/kube/deploy/apps/authentik/app/es.yaml b/kube/deploy/apps/authentik/app/es.yaml new file mode 100644 index 00000000..17edf89d --- /dev/null +++ b/kube/deploy/apps/authentik/app/es.yaml @@ -0,0 +1,54 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name authentik-secrets + namespace: authentik +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "authentik - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: "Opaque" + data: + AUTHENTIK_SECRET_KEY: '{{ .AUTHENTIK_SECRET_KEY }}' + AUTHENTIK_REDIS__PASSWORD: '{{ .AUTHENTIK_REDIS__PASSWORD }}' + AUTHENTIK_EMAIL__FROM: '{{ .AUTHENTIK_EMAIL__FROM }}' + AUTHENTIK_EMAIL__HOST: '{{ .AUTHENTIK_EMAIL__HOST }}' + AUTHENTIK_EMAIL__PORT: '{{ .AUTHENTIK_EMAIL__PORT }}' + AUTHENTIK_EMAIL__USE_TLS: '{{ .AUTHENTIK_EMAIL__USE_TLS }}' + AUTHENTIK_EMAIL__USE_SSL: '{{ .AUTHENTIK_EMAIL__USE_SSL }}' + AUTHENTIK_EMAIL__USERNAME: '{{ .AUTHENTIK_EMAIL__USERNAME }}' + AUTHENTIK_EMAIL__PASSWORD: '{{ .AUTHENTIK_EMAIL__PASSWORD }}' +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name authentik-ldap + namespace: authentik +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "authentik - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + template: + type: "Opaque" + data: + AUTHENTIK_TOKEN: '{{ .AUTHENTIK_TOKEN }}' diff --git a/kube/deploy/apps/authentik/app/hr.yaml b/kube/deploy/apps/authentik/app/hr.yaml index cadf1ad8..bc525d5f 100644 --- a/kube/deploy/apps/authentik/app/hr.yaml +++ b/kube/deploy/apps/authentik/app/hr.yaml @@ -5,127 +5,319 @@ metadata: name: &app authentik namespace: *app spec: + interval: 5m chart: spec: - chart: *app - version: &vers 2023.10.7 + chart: app-template + version: 3.1.0 sourceRef: - name: *app + name: bjw-s kind: HelmRepository namespace: flux-system values: - image: - repository: "ghcr.io/goauthentik/server" - tag: "2023.10.7" # specify image tag for Renovate to pull changelogs & security info, and for security releases without a chart release - #digest: "sha256:8ebdd51a95d3efdcb0cf3b26ed849cc0f9a8c032adb8cd595cabb59a1f321161" # TODO: apparently Renovate doesn't see this as a digest? - pullPolicy: IfNotPresent - # server is in active-active, 3 replicas seems to confuse authentik - replicas: 2 - worker: - # workers don't need leader election, thus any size works - replicas: 2 - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - service: - port: 9000 - ingress: - enabled: true - ingressClassName: "nginx-external" - annotations: - external-dns.alpha.kubernetes.io/target: "${DNS_CF}" - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - # WebSockets (used for frontend to backend connection) - nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" - hosts: - - host: &host "${APP_DNS_AUTH}" - paths: - - path: "/" - pathType: Prefix - tls: - - hosts: - - *host - secretName: authentik-tls - volumes: - - name: authentik-tls - secret: - secretName: authentik-tls - optional: false - items: - - key: tls.crt - path: fullchain.pem - - key: tls.key - path: privkey.pem - volumeMounts: - - name: authentik-tls - mountPath: /certs/${APP_DNS_AUTH}-k8s - readOnly: true - authentik: - log_level: debug - secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}" - email: - host: "${SECRET_AUTHENTIK_SMTP_HOST}" - port: 587 - username: "${SECRET_AUTHENTIK_SMTP_USERNAME}" - password: "${SECRET_AUTHENTIK_SMTP_PASSWORD}" - use_tls: true - from: "${SECRET_AUTHENTIK_SMTP_FROM}" - outposts: - container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s - error_reporting: - enabled: false - send_pii: false - postgresql: - enabled: false - host: 'pg-authentik-primary.authentik.svc.cluster.local' - port: 5432 - name: "" - user: "" - password: "" + controllers: + authentik: + type: deployment + replicas: 2 + strategy: RollingUpdate + rollingUpdate: + unavailable: "90%" + pod: + labels: + ingress.home.arpa/nginx-external: allow + ingress.home.arpa/nginx-internal: allow + ingress.home.arpa/nginx-public: allow + egress.home.arpa/nginx-external: allow + egress.home.arpa/nginx-internal: allow + egress.home.arpa/nginx-public: allow + db.home.arpa/pg: pg-authentik + s3.home.arpa/store: "rgw-${CLUSTER_NAME}" + prom.home.arpa/kps: allow + topologySpreadConstraints: + - &tsc + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + app.kubernetes.io/component: *app + containers: + main: + image: &img + repository: ghcr.io/goauthentik/server + tag: 2023.10.7 + args: [server] + env: &env + TZ: "${CONFIG_TZ}" + AUTHENTIK_POSTGRESQL__HOST: + valueFrom: + secretKeyRef: + name: pg-authentik-pguser-authentik + key: pgbouncer-host + AUTHENTIK_POSTGRESQL__PORT: + valueFrom: + secretKeyRef: + name: pg-authentik-pguser-authentik + key: pgbouncer-port + AUTHENTIK_POSTGRESQL__NAME: + valueFrom: + secretKeyRef: + name: pg-authentik-pguser-authentik + key: dbname + AUTHENTIK_POSTGRESQL__USER: + valueFrom: + secretKeyRef: + name: pg-authentik-pguser-authentik + key: user + AUTHENTIK_POSTGRESQL__PASSWORD: + valueFrom: + secretKeyRef: + name: pg-authentik-pguser-authentik + key: password + AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: "true" + AUTHENTIK_POSTGRESQL__SSLMODE: verify-ca + AUTHENTIK_POSTGRESQL__SSLROOTCERT: &pgca /secrets/pg/ca.crt + AUTHENTIK_REDIS__HOST: authentik-redis.authentik.svc.cluster.local. + AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS: "${IP_POD_CIDR_V4}" + AUTHENTIK_ERROR_REPORTING__ENABLED: "false" + AUTHENTIK_ERROR_REPORTING__SEND_PII: "false" + envFrom: &envFrom + - secretRef: + name: authentik-secrets + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "2Gi" + probes: + liveness: + enabled: true + readiness: + enabled: true + worker: + type: deployment + replicas: 3 + pod: + labels: + db.home.arpa/pg: pg-authentik + s3.home.arpa/store: "rgw-${CLUSTER_NAME}" + authentik.home.arpa/https: allow + prom.home.arpa/kps: allow + # egress.home.arpa/internet: allow + topologySpreadConstraints: + - <<: *tsc + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + app.kubernetes.io/component: worker + containers: + main: + image: *img + args: [worker] + env: *env + envFrom: *envFrom + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "4Gi" + probes: + liveness: + enabled: true + readiness: + enabled: true + ldap: + type: deployment + replicas: 3 + pod: + labels: + authentik.home.arpa/https: allow + topologySpreadConstraints: + - <<: *tsc + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + app.kubernetes.io/component: ldap + containers: + main: + image: + <<: *img + repository: ghcr.io/goauthentik/ldap + tag: 2023.10.7@sha256:c483b0adf9a2123ab3d0498450d3d0f91344c97248dba789a4f80fdd3f6eb213 + env: + AUTHENTIK_HOST: "${APP_DNS_AUTHENTIK}" + AUTHENTIK_TOKEN: + valueFrom: + secretKeyRef: + name: authentik-ldap + key: token + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "4Gi" + probes: + liveness: + enabled: true + readiness: + enabled: true redis: - host: "authentik-redis.authentik.svc.cluster.local" - password: "" - envValueFrom: - AUTHENTIK_POSTGRESQL__NAME: - secretKeyRef: - name: &pgsec pg-authentik-pguser-authentik - key: dbname - AUTHENTIK_POSTGRESQL__USER: - secretKeyRef: - name: *pgsec - key: user - AUTHENTIK_POSTGRESQL__PASSWORD: - secretKeyRef: - name: *pgsec - key: password - AUTHENTIK_REDIS__PASSWORD: - secretKeyRef: - name: authentik-redis - key: password - redis: - enabled: false - blueprints: [] - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: fuckoff.home.arpa/home-assistant - operator: DoesNotExist - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app - app.kubernetes.io/component: server - - topologyKey: kubernetes.io/hostname - labelSelector: - matchLabels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app - app.kubernetes.io/component: worker + type: deployment + replicas: 1 + containers: + redis: + image: + repository: "public.ecr.aws/docker/library/redis" + tag: "7.2.4@sha256:f14f42fc7e824b93c0e2fe3cdf42f68197ee0311c3d2e0235be37480b2e208e6" + command: ["redis-server", "--save", "''", "--appendonly", "no", "--requirepass", "$(AUTHENTIK_REDIS__PASSWORD)"] # save and appendonly options forcibly disable RDB and AOF persistence entirely + envFrom: *envFrom + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "32Mi" + limits: + cpu: "1000m" + memory: "512Mi" + service: + authentik: + controller: authentik + ports: + http: &port + port: 9000 + protocol: HTTP + appProtocol: http + http-80: + <<: *port + port: 80 + targetPort: 9000 + metrics: + <<: *port + port: 9300 + redis: + primary: false + controller: redis + ports: + redis: + port: 6379 + expose: + primary: false + controller: authentik + type: LoadBalancer + annotations: + io.cilium/internal: "true" + io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK}" + ports: + http: + port: 443 + targetPort: 9443 + protocol: HTTPS + appProtocol: https + ldap: + primary: false + controller: ldap + type: LoadBalancer + annotations: + coredns.io/hostname: "${APP_DNS_AUTHENTIK_LDAP}" + io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK_LDAP}" + ports: + ldap-tcp: &ldap + port: 389 + targetPort: 3389 + protocol: TCP + ldap-udp: + <<: *ldap + protocol: UDP + ldaps-tcp: &ldaps + port: 636 + targetPort: 6636 + protocol: TCP + ldaps-udp: + <<: *ldaps + protocol: UDP + ingress: + main: + className: nginx-external + annotations: + external-dns.alpha.kubernetes.io/target: "${DNS_CF}" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + hosts: + - host: &host "${APP_DNS_AUTHENTIK}" + paths: &paths + - path: / + pathType: Prefix + service: + identifier: authentik + port: http + tls: + - hosts: [*host] + secretName: authentik-tls + persistence: + pg-ca: + type: secret + name: pg-home-ca + defaultMode: 0400 + globalMounts: + - subPath: ca.crt + path: *pgca + tls: + type: secret + name: authentik-tls + defaultMode: 0400 + globalMounts: + - path: "/certs/${APP_DNS_AUTHENTIK}-k8s" + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + hostAliases: + - ip: "${APP_IP_AUTHENTIK}" + hostnames: ["${APP_DNS_AUTHENTIK}"] + securityContext: + runAsNonRoot: true + runAsUser: &uid 1000 + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/authentik + operator: DoesNotExist + networkpolicies: + same-ns: + podSelector: {} + policyTypes: [Ingress, Egress] + rules: + ingress: [from: [{podSelector: {}}]] + egress: [to: [{podSelector: {}}]] + vm-ad: + controller: worker + policyTypes: [Egress] + rules: + egress: [to: [{ipBlock: {cidr: "${IP_AD_CIDR}"}}]] + serviceMonitor: + authentik: + serviceName: authentik + endpoints: + - port: metrics + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 30s diff --git a/kube/deploy/apps/authentik/app/ingress.yaml b/kube/deploy/apps/authentik/app/ingress.yaml deleted file mode 100644 index f8724bba..00000000 --- a/kube/deploy/apps/authentik/app/ingress.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: authentik-cilium - namespace: authentik - annotations: - ingress.cilium.io/websocket: "enabled" - ingress.cilium.io/service-type: "LoadBalancer" - ingress.cilium.io/loadbalancer-mode: "dedicated" - io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK_INGRESS}" -spec: - ingressClassName: "cilium" - rules: - - host: &host "2${APP_DNS_AUTHENTIK}" - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: authentik - port: - name: http - tls: - - hosts: - - *host diff --git a/kube/deploy/apps/authentik/app/netpol.yaml b/kube/deploy/apps/authentik/app/netpol.yaml index d4b0b79f..005b25a3 100644 --- a/kube/deploy/apps/authentik/app/netpol.yaml +++ b/kube/deploy/apps/authentik/app/netpol.yaml @@ -8,15 +8,6 @@ metadata: spec: endpointSelector: {} ingress: - # same namespace - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - # ingress controller - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: ingress - app.kubernetes.io/name: ingress-nginx # allow HTTPS traffic in-cluster - fromEndpoints: - matchLabels: @@ -32,11 +23,6 @@ spec: - toEndpoints: - matchLabels: io.kubernetes.pod.namespace: *app - # allow all ingress-nginx - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: ingress - app.kubernetes.io/name: ingress-nginx # allow Duo - toFQDNs: - matchPattern: "api-*.duosecurity.com" @@ -64,8 +50,49 @@ spec: - matchLabels: io.kubernetes.pod.namespace: authentik app.kubernetes.io/name: authentik - app.kubernetes.io/instance: authentik - app.kubernetes.io/component: server + app.kubernetes.io/component: authentik toPorts: - ports: - port: "9443" +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: authentik-ldap + namespace: &app authentik +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: *app + app.kubernetes.io/component: ldap + ingress: + # allow LDAP traffic + - fromEndpoints: + - matchLabels: + authentik.home.arpa/ldap: allow + matchExpressions: + - key: io.kubernetes.pod.namespace + operator: Exists + toPorts: + - ports: + - port: "6636" +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: &app authentik-ldap +spec: + endpointSelector: + matchLabels: + authentik.home.arpa/ldap: allow + egress: + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: authentik + app.kubernetes.io/name: *app + app.kubernetes.io/component: ldap + toPorts: + - ports: + - port: "6636" diff --git a/kube/deploy/apps/authentik/app/pg-superuser.yaml b/kube/deploy/apps/authentik/app/pg-superuser.yaml deleted file mode 100644 index a1c4fa50..00000000 --- a/kube/deploy/apps/authentik/app/pg-superuser.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: pg-authentik-superuser - namespace: authentik -type: Opaque -stringData: - # username MUST BE 'postgres'! - username: postgres - password: "${SECRET_AUTHENTIK_PG_SUPER_PASS}" diff --git a/kube/deploy/apps/authentik/app/svc.yaml b/kube/deploy/apps/authentik/app/svc.yaml deleted file mode 100644 index 7e069ec7..00000000 --- a/kube/deploy/apps/authentik/app/svc.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: authentik-https-in-cluster - namespace: authentik - annotations: - # this is for in-cluster apps only, DNS is configured via hostAliases - io.cilium/internal: "true" - io.cilium/lb-ipam-ips: "${APP_IP_AUTHENTIK}" -spec: - type: LoadBalancer - selector: - app.kubernetes.io/name: authentik - app.kubernetes.io/instance: authentik - app.kubernetes.io/component: server - ports: - - name: https - port: 443 - targetPort: 9443 - protocol: TCP - allocateLoadBalancerNodePorts: false diff --git a/kube/deploy/apps/authentik/ks.yaml b/kube/deploy/apps/authentik/ks.yaml index b010d6f4..164e2168 100644 --- a/kube/deploy/apps/authentik/ks.yaml +++ b/kube/deploy/apps/authentik/ks.yaml @@ -4,27 +4,15 @@ kind: Kustomization metadata: name: authentik-app namespace: flux-system + labels: &l + app.kubernetes.io/name: "authentik" spec: + commonMetadata: + labels: *l path: ./kube/deploy/apps/authentik/app + targetNamespace: "authentik" dependsOn: - - name: 1-core-ingress-nginx-app - - name: authentik-redis - name: authentik-db - healthChecks: - - name: authentik - namespace: authentik - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: authentik-ldap - namespace: flux-system -spec: - path: ./kube/deploy/apps/authentik/ldap - dependsOn: - - name: authentik-app --- apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization @@ -47,21 +35,3 @@ spec: PG_SC: "local" PG_CONFIG_VERSION: "15.2-11" PG_CONFIG_SIZE: "20Gi" - # healthChecks: - # - name: pg-authentik-s3 - # namespace: authentik - # kind: ObjectBucketClaim - # apiVersion: objectbucket.io/v1alpha1 - # - name: pg-authentik - # namespace: authentik - # kind: Cluster - # apiVersion: postgresql.cnpg.io/v1 ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: authentik-redis - namespace: flux-system -spec: - path: ./kube/deploy/apps/authentik/redis - dependsOn: [] diff --git a/kube/deploy/apps/authentik/kustomization.yaml b/kube/deploy/apps/authentik/kustomization.yaml index ed061416..5eeb2657 100644 --- a/kube/deploy/apps/authentik/kustomization.yaml +++ b/kube/deploy/apps/authentik/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ns.yaml - - repo.yaml - ks.yaml diff --git a/kube/deploy/apps/authentik/ldap/hr.yaml b/kube/deploy/apps/authentik/ldap/hr.yaml deleted file mode 100644 index a1fa40a6..00000000 --- a/kube/deploy/apps/authentik/ldap/hr.yaml +++ /dev/null @@ -1,85 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &app authentik-ldap - namespace: authentik -spec: - chart: - spec: - chart: app-template - version: 1.5.1 - sourceRef: - name: bjw-s - kind: HelmRepository - namespace: flux-system - values: - global: - fullnameOverride: *app - automountServiceAccountToken: false - controller: - type: deployment - replicas: 2 - image: - repository: ghcr.io/goauthentik/ldap - tag: "2023.10.7@sha256:c483b0adf9a2123ab3d0498450d3d0f91344c97248dba789a4f80fdd3f6eb213" - podLabels: - egress.home.arpa/nginx-external: "allow" - env: - TZ: "${CONFIG_TZ}" - AUTHENTIK_HOST: "https://${APP_DNS_AUTH}" - AUTHENTIK_TOKEN: - valueFrom: - secretKeyRef: - name: authentik-ldap - key: token - service: - main: - enabled: true - type: LoadBalancer - externalTrafficPolicy: Cluster - annotations: - coredns.io/hostname: "${APP_DNS_AUTHENTIK_LDAP}" - "io.cilium/lb-ipam-ips": "${APP_IP_AUTHENTIK_LDAP}" - ports: - http: - enabled: false - ldap-tcp: - enabled: true - port: 389 - targetPort: 3389 - protocol: TCP - ldap-udp: - enabled: true - port: 389 - targetPort: 3389 - protocol: UDP - ldaps-tcp: - enabled: true - port: 636 - targetPort: 6636 - protocol: TCP - ldaps-udp: - enabled: true - port: 636 - targetPort: 6636 - protocol: UDP - podSecurityContext: - runAsUser: &uid ${APP_UID_AUTHENTIK_LDAP} - runAsGroup: *uid - fsGroup: *uid - fsGroupChangePolicy: Always - resources: - requests: - cpu: 10m - memory: 128Mi - limits: - memory: 6000Mi - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: "kubernetes.io/hostname" - whenUnsatisfiable: "DoNotSchedule" - labelSelector: - matchLabels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app diff --git a/kube/deploy/apps/authentik/ldap/netpol.yaml b/kube/deploy/apps/authentik/ldap/netpol.yaml deleted file mode 100644 index 20e257e5..00000000 --- a/kube/deploy/apps/authentik/ldap/netpol.yaml +++ /dev/null @@ -1,56 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: &app authentik-ldap - namespace: authentik -spec: - endpointSelector: - matchLabels: - app.kubernetes.io/name: *app - ingress: - # same namespace - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - # allow LDAP traffic - - fromEndpoints: - - matchLabels: - authentik.home.arpa/ldap: allow - matchExpressions: - - key: io.kubernetes.pod.namespace - operator: Exists - toPorts: - - ports: - - port: "6636" - egress: - # same namespace - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - # allow ingress-nginx - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: ingress - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json -apiVersion: cilium.io/v2 -kind: CiliumClusterwideNetworkPolicy -metadata: - name: &app authentik-ldap -spec: - endpointSelector: - matchLabels: - authentik.home.arpa/ldap: allow - egress: - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: authentik - app.kubernetes.io/name: *app - toPorts: - - ports: - - port: "6636" \ No newline at end of file diff --git a/kube/deploy/apps/authentik/ldap/secret.yaml b/kube/deploy/apps/authentik/ldap/secret.yaml deleted file mode 100644 index 022314ed..00000000 --- a/kube/deploy/apps/authentik/ldap/secret.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: authentik-ldap - namespace: authentik -type: Opaque -stringData: - token: "${SECRET_AUTHENTIK_LDAP_TOKEN}" diff --git a/kube/deploy/apps/authentik/ns.yaml b/kube/deploy/apps/authentik/ns.yaml index ae71e15e..03d3be43 100644 --- a/kube/deploy/apps/authentik/ns.yaml +++ b/kube/deploy/apps/authentik/ns.yaml @@ -3,3 +3,8 @@ apiVersion: v1 kind: Namespace metadata: name: authentik + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/apps/authentik/redis/hr.yaml b/kube/deploy/apps/authentik/redis/hr.yaml deleted file mode 100644 index 70ff3cbc..00000000 --- a/kube/deploy/apps/authentik/redis/hr.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &app authentik-redis - namespace: authentik -spec: - chart: - spec: - chart: app-template - version: 1.5.1 - sourceRef: - name: bjw-s - kind: HelmRepository - namespace: flux-system - values: - global: - fullnameOverride: *app - automountServiceAccountToken: false - controller: - type: deployment - replicas: 1 - image: - repository: public.ecr.aws/docker/library/redis - tag: 7.0.11-bullseye - command: - - sh - args: - - -c - - >- - redis-server --requirepass $REDIS_PASSWORD - env: - REDIS_PORT: "6379" - REDIS_PASSWORD: - valueFrom: - secretKeyRef: - name: authentik-redis - key: password - service: - main: - ports: - http: - port: 6379 - resources: - requests: - cpu: 10m - memory: 204Mi - limits: - memory: 512Mi diff --git a/kube/deploy/apps/authentik/redis/secret-redis.yaml b/kube/deploy/apps/authentik/redis/secret-redis.yaml deleted file mode 100644 index c52a259a..00000000 --- a/kube/deploy/apps/authentik/redis/secret-redis.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: authentik-redis - namespace: authentik -type: Opaque -stringData: - password: "${SECRET_AUTHENTIK_REDIS_PASSWORD}" diff --git a/kube/deploy/apps/authentik/repo.yaml b/kube/deploy/apps/authentik/repo.yaml deleted file mode 100644 index 23c9660c..00000000 --- a/kube/deploy/apps/authentik/repo.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: authentik - namespace: flux-system -spec: - interval: 10m0s - timeout: 3m0s - url: https://charts.goauthentik.io/