add authentik

argocd-applications/base/authentik-application.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-app-authentik
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: default
+    server: https://kubernetes.default.svc
+  source:
+    path: authentik
+    repoURL: https://git.mziesel.nl/mans/argocd-test
+    targetRevision: HEAD
+  sources: []
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true

argocd-applications/kustomization.yaml

@@ -19,3 +19,4 @@ resources:
   - ./base/mediaserver-application.yaml
   - ./base/uptime-kuma-application.yaml
   - ./base/metrics-server-application.yaml
+  - ./base/authentik-application.yaml

authentik/base/authentik-deployment.yaml

@@ -0,0 +1,103 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik
+  template:
+    metadata:
+      labels:
+        app: authentik
+    spec:
+      volumes:
+        - name: authentik-certs
+          persistentVolumeClaim:
+            claimName: authentik-templates-pvc
+        - name: authentik-media
+          persistentVolumeClaim:
+            claimName: authentik-media-pvc
+        - name: authentik-templates
+          persistentVolumeClaim:
+            claimName: authentik-templates-pvc
+      containers:
+      - image: ghcr.io/goauthentik/authentik:2024.12.1
+        name: authentik-server
+        command: server
+        environment:
+            - name: AUTHENTIK_REDIS__HOST
+              value: redis-server.authentik.svc.cluster.local
+            - name: AUTHENTIK_POSTGRESQL__HOST
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: host
+            - name: AUTHENTIK_POSTGRESQL__PORT
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: port
+            - name: AUTHENTIK_POSTGRESQL__USER
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: user
+            - name: AUTHENTIK_POSTGRESQL__NAME
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: dbname
+            - name: AUTHENTIK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: password
+        ports:
+          - name: web
+            containerPort: 9000
+        volumeMounts:
+        - mountPath: /media
+          name: authentik-media
+        - mountPath: /templates
+          name: authentik-templates
+      - image: ghcr.io/goauthentik/authentik:2024.12.1
+        name: authentik-worker
+        command: worker
+        environment:
+            - name: AUTHENTIK_REDIS__HOST
+              value: redis-server.authentik.svc.cluster.local
+            - name: AUTHENTIK_POSTGRESQL__HOST
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: host
+            - name: AUTHENTIK_POSTGRESQL__PORT
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: port
+            - name: AUTHENTIK_POSTGRESQL__USER
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: user
+            - name: AUTHENTIK_POSTGRESQL__NAME
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: dbname
+            - name: AUTHENTIK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: keycloak-pg-cluster-app
+                  key: password
+        volumeMounts:
+        - mountPath: /media
+          name: authentik-media
+        - mountPath: /certs
+          name: authentik-certs
+        - mountPath: /templates
+          name: authentik-templates

authentik/base/authentik-ingress.yaml

@@ -0,0 +1,12 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingressroute
+spec:
+  routes:
+  - match: Host(`authentik.k8s.mziesel.nl`)
+    kind: Rule
+    services:
+    - name: authentik
+      port: web
+  tls: {}

authentik/base/authentik-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik

authentik/base/authentik-pg-cluster.yaml

@@ -0,0 +1,15 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: authentik-pg-cluster
+spec:
+  instances: 3
+  imageCatalogRef:
+    apiGroup: postgresql.cnpg.io
+    kind: ClusterImageCatalog
+    name: postgresql
+    major: 17
+
+  storage:
+    size: 10Gi
+    storageClass: nfs-client

authentik/base/authentik-pvcs.yaml

@@ -0,0 +1,47 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: authentik-media-pvc
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: authentik-templates-pvc
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: authentik-certs-pvc
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: authentik-redis-pvc
+spec:
+  storageClassName: nfs-client
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi

authentik/base/authentik-redis-deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-redis-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis-server
+  template:
+    metadata:
+      labels:
+        app: redis-server
+        name: redis-server
+    spec:
+      containers:
+      - name: redis-server
+        image: redis
+        args: ["--appendonly", "yes"]
+        ports:
+          - name: redis-server
+            containerPort: 6379
+        volumeMounts:
+          - name: redis-data
+            mountPath: /data
+        env:
+          - name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+      volumes:
+        - name: redis-data
+          persistentVolumeClaim:
+            claimName: authentik-redis-pvc

authentik/base/authentik-redis-svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-server
+spec:
+  ports:
+    - name: redis-server
+      protocol: TCP
+      port: 6379
+      targetPort: 6379
+  selector:
+    app: redis-server

authentik/base/authentik-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik
+spec:
+  ports:
+    - name: web 
+      port: 80
+      targetPort: web
+  selector:
+    app: authentik

authentik/kustomization.yaml

@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: authentik
+
+resources:
+  - ./base/authentik-namespace.yaml
+  - ./base/authentik-pg-cluster.yaml
+  - ./base/authentik-pvcs.yaml.yaml
+  - ./base/authentik-deployment.yaml
+  - ./base/authentik-svc.yaml
+  - ./base/authentik-ingress.yaml
+  - ./base/authentik-redis-deployment.yaml
+  - ./base/authentik-redis-svc.yaml