add(authentik)

This commit is contained in:
nold 2022-12-13 13:47:52 +01:00
parent 0cd2a224f7
commit 351d66311b
3 changed files with 227 additions and 0 deletions

View file

@ -0,0 +1,43 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: authentik-db
namespace: authentik
spec:
instances: 1
imageName: ghcr.io/cloudnative-pg/postgresql:15
bootstrap:
initdb:
database: app
owner: app
backup:
barmanObjectStore:
destinationPath: "s3://authentik-db/"
endpointURL: "http://minio.minio.svc.cluster.local:9000"
s3Credentials:
accessKeyId:
name: bucket
key: accesskey
secretAccessKey:
name: bucket
key: secretkey
wal:
compression: gzip
#encryption: AES256
data:
compression: gzip
#encryption: AES256
retentionPolicy: "90d"
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "1Gi"
cpu: "1"
storage:
size: 10Gi

View file

@ -0,0 +1,16 @@
config:
description: Authentik OIDC
apps:
- name: authentik
repoURL: https://charts.goauthentik.io/
chart: authentik
targetRevision: 2022.11.3
secrets:
- name: authentik
keys:
- secret_key
- name: bucket
keys:
- secretkey
- accesskey

View file

@ -0,0 +1,168 @@
# -- Server replicas
replicas: 1
# -- server securityContext
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
worker:
# -- worker replicas
replicas: 1
# -- Custom priority class for different treatment by the scheduler
priorityClassName:
# -- worker securityContext
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
image:
repository: ghcr.io/goauthentik/server
tag: 2022.11.3
# -- See https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#values
initContainers: {}
# -- See https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#values
additionalContainers: {}
ingress:
enabled: true
ingressClassName: "ingress-internal-traefik"
annotations:
cert-manager.io/cluster-issuer: "vault-issuer"
traefik.ingress.kubernetes.io/router.tls: 'true'
labels: {}
hosts:
- host: auth.dc
paths:
- path: "/"
pathType: Prefix
tls:
- secretName: auth.dc-tls
hosts:
- auth.dc
authentik:
# -- Log level for server and worker
log_level: info
# -- Secret key used for cookie singing and unique user IDs,
# don't change this after the first install
#secret_key: ""
# -- Path for the geoip database. If the file doesn't exist, GeoIP features are disabled.
geoip: /geoip/GeoLite2-City.mmdb
# -- Mode for the avatars. Defaults to gravatar. Possible options 'gravatar' and 'none'
avatars: none
email:
# -- SMTP Server emails are sent from, fully optional
host: ""
port: 587
# -- SMTP credentials, when left empty, not authentication will be done
username: ""
# -- SMTP credentials, when left empty, not authentication will be done
password: ""
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
use_tls: false
# -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
use_ssl: false
# -- Connection timeout
timeout: 30
# -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
from: ""
outposts:
# -- Template used for managed outposts. The following placeholders can be used
# %(type)s - the type of the outpost
# %(version)s - version of your authentik install
# %(build_hash)s - only for beta versions, the build hash of the image
container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
error_reporting:
# -- This sends anonymous usage-data, stack traces on errors and
# performance data to sentry.beryju.org, and is fully opt-in
enabled: false
# -- This is a string that is sent to sentry with your error reports
environment: "k8s"
# -- Send PII (Personally identifiable information) data to sentry
send_pii: false
postgresql:
# -- set the postgresql hostname to talk to
# if unset and .Values.postgresql.enabled == true, will generate the default
# @default -- `{{ .Release.Name }}-postgresql`
host: 'authentik-db-rw.authentik.svc.cluster.local'
# -- postgresql Database name
# @default -- `authentik`
name: "app"
# -- postgresql Username
# @default -- `authentik`
user: "app"
#password: ""
port: 5432
redis:
# -- set the redis hostname to talk to
# @default -- `{{ .Release.Name }}-redis-master`
host: '{{ .Release.Name }}-redis-master'
password: ""
# -- List of config maps to mount blueprints from. Only keys in the
# configmap ending with ".yaml" wil be discovered and applied
blueprints: []
# -- see configuration options at https://goauthentik.io/docs/installation/configuration/
env: {}
# AUTHENTIK_VAR_NAME: VALUE
envFrom: []
# - configMapRef:
# name: special-config
envValueFrom:
AUTHENTIK_POSTGRESQL__PASSWORD:
secretKeyRef:
key: password
name: authentik-db-app
AUTHENTIK_SECRET_KEY:
secretKeyRef:
key: secret_key
name: authentik
service:
# -- Service that is created to access authentik
enabled: true
type: ClusterIP
port: 80
name: http
protocol: TCP
labels: {}
annotations: {}
volumes: []
volumeMounts: []
resources:
server: {}
worker: {}
serviceAccount:
# -- Service account is needed for managed outposts
create: true
prometheus:
serviceMonitor:
create: false
interval: 30s
scrapeTimeout: 3s
rules:
create: false
postgresql:
enabled: false
redis:
enabled: true
architecture: standalone
auth:
enabled: false