feat(authentik): deploy authentik

kubernetes/apps/default/app-template/README.md

@@ -0,0 +1 @@
+## Template that can be used to deploy a general docker image

kubernetes/apps/default/app-template/app/externalsecret.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: APP_NAME
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: APP_NAME-secret
+    template:
+      engineVersion: v2
+      data:
+        ## Non Cluster resources
+        APP_ENV: "{{ .APP_1PASS_SECRET_KEY }}"
+  dataFrom:
+    - extract:
+        key: app
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "app_$1"

kubernetes/apps/default/app-template/app/helmrelease.yaml

@@ -0,0 +1,112 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app APP_NAME
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.3.2
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      # Retries is the number of retries that should be attempted on failures before bailing. Remediation, using an uninstall, is performed between each attempt.
+      retries: 3
+  upgrade:
+    # CleanupOnFail allows deletion of new resources created during the Helm rollback action when it fails
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  # Generally storage dependencies goes here
+  dependsOn:
+    - name: DEP_NAME
+      namespace: DEP_NAMESPACE
+  values:
+    controllers:
+      APP_NAME:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        containers:
+          app:
+            image:
+              repository: APP_IMAGE
+              tag: VERSION
+            env:
+              TZ: "${TIMEZONE}"
+            # Paste if have secret with envs
+            envFrom:
+              - secretRef:
+                  name: SECRET_NAME
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /health
+                    port: &port 80
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+              securityContext:
+                allowPrivilegeEscalation: false
+                readOnlyRootFilesystem: true
+                capabilities: { drop: [ "ALL" ] }
+              resources:
+                requests:
+                  cpu: 100m
+                limits:
+                  memory: 2Gi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        supplementalGroups: [ 10000 ]
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: APP_NAME
+        type: LoadBalancer
+        # Add if it needs to have local network ip
+        annotations:
+          io.cilium/lb-ipam-ips: "${CLUSTER_LB_VALHEIM}"
+        ports:
+          http:
+            port: *port
+    ingress:
+      app:
+        annotations:
+          # or internal
+          external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}"
+        # or internal
+        className: external
+        hosts:
+          - host: "APP_NAME.${SECRET_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+    persistence:
+      server:
+        existingClaim: *app
+        globalMounts:
+          - path: /home/steam/valheim
+      saves:
+        type: nfs
+        server: "${NAS_URL}"
+        path: "${NAS_PATH}/path"
+        globalMounts:
+          - path: /home/steam/.config/unity3d/IronGate/Valheim

kubernetes/apps/default/app-template/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/gatus/internal

kubernetes/apps/default/app-template/ks.yaml

@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app APP_NAME
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/default/APP_NAME/app
+  prune: true
+  dependsOn:
+    - name: cloudnative-pg-cluster
+    - name: external-secrets-stores
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  # add if you have volsync and\or gatus
+  postBuild:
+    substitute:
+      APP: *app
+      VOLSYNC_CAPACITY: 1Gi

kubernetes/apps/default/homepage/app/externalsecret.yaml

@@ -36,7 +36,11 @@ spec:
         HOMEPAGE_VAR_PORTAINER_TOKEN: "{{ .HOMEPAGE_PORTAINER_TOKEN }}"
         HOMEPAGE_VAR_GRAFANA_USER: "{{ .grafana_username }}"
         HOMEPAGE_VAR_GRAFANA_PASSWORD: "{{ .grafana_password }}"
+        ## Security
+        HOMEPAGE_VAR_AUTHENTIK_TOKEN: "{{ .AUTHENTIK_TOKEN }}"
   dataFrom:
+    - extract:
+        key: authentik
     - extract:
         key: cloudflare
     - extract:

kubernetes/apps/observability/grafana/app/helmrelease.yaml

@@ -201,6 +201,11 @@ spec:
         node-feature-discovery:
           url: https://raw.githubusercontent.com/kubernetes-sigs/node-feature-discovery/master/examples/grafana-dashboard.json
           datasource: Prometheus
+        authentik:
+          # renovate: depName="Authentik"
+          gnetId: 14837
+          revision: 2
+          datasource: Prometheus
       flux:
         flux-cluster:
           url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json

kubernetes/apps/security/alert.yaml

@@ -0,0 +1,29 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: alert-manager
+  namespace: security
+spec:
+  type: alertmanager
+  address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Alert
+metadata:
+  name: alert-manager
+  namespace: security
+spec:
+  providerRef:
+    name: alert-manager
+  eventSeverity: error
+  eventSources:
+    - kind: HelmRelease
+      name: "*"
+  exclusionList:
+    - "error.*lookup github\\.com"
+    - "error.*lookup raw\\.githubusercontent\\.com"
+    - "dial.*tcp.*timeout"
+    - "waiting.*socket"
+  suspend: false

kubernetes/apps/security/authentik/app/externalsecret.yaml

@@ -0,0 +1,37 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: authentik-secret
+    template:
+      engineVersion: v2
+      data:
+        AUTHENTIK_BOOTSTRAP_EMAIL: '{{ .AUTHENTIK_EMAIL }}'
+        AUTHENTIK_BOOTSTRAP_PASSWORD: '{{ .AUTHENTIK_PASSWORD }}'
+        AUTHENTIK_BOOTSTRAP_TOKEN: '{{ .AUTHENTIK_TOKEN }}'
+        AUTHENTIK_SECRET_KEY: '{{ .AUTHENTIK_SECRET_KEY }}'
+        AUTHENTIK_REDIS__DB: "1"
+        AUTHENTIK_SESSION_STORAGE: "db"
+        AUTHENTIK_POSTGRESQL__NAME: &dbName authentik
+        AUTHENTIK_POSTGRESQL__HOST: &dbHost postgres-cluster-rw.database.svc.cluster.local
+        AUTHENTIK_POSTGRESQL__USER: &dbUser '{{ .AUTHENTIK_POSTGRES_USER }}'
+        AUTHENTIK_POSTGRESQL__PASSWORD: &dbPass '{{ .AUTHENTIK_POSTGRES_PASSWORD }}'
+        AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: 'false'
+        INIT_POSTGRES_DBNAME: *dbName
+        INIT_POSTGRES_HOST: *dbHost
+        INIT_POSTGRES_USER: *dbUser
+        INIT_POSTGRES_PASS: *dbPass
+        INIT_POSTGRES_SUPER_USER: "{{ .POSTGRES_SUPER_USER }}"
+        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: cloudnative-pg
+    - extract:
+        key: authentik

kubernetes/apps/security/authentik/app/helmrelease.yaml

@@ -0,0 +1,75 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authentik
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2024.6.3
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+  install:
+    remediation:
+      # Retries is the number of retries that should be attempted on failures before bailing. Remediation, using an uninstall, is performed between each attempt.
+      retries: 3
+  upgrade:
+    # CleanupOnFail allows deletion of new resources created during the Helm rollback action when it fails
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    global:
+      podAnnotations:
+        secret.reloader.stakater.com/reload: &secret authentik-secret
+      deploymentStrategy:
+        type: RollingUpdate
+      envFrom:
+        - secretRef:
+            name: *secret
+    authentik:
+      redis:
+        host: dragonfly.database.svc.cluster.local
+    server:
+      initContainers:
+        - name: init-db
+          image: ghcr.io/onedr0p/postgres-init:16.3
+          envFrom:
+            - secretRef:
+                name: *secret
+      autoscaling:
+        enabled: true
+        minReplicas: 2
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+      ingress:
+        enabled: true
+        ingressClassName: external
+        annotations:
+          gethomepage.dev/enabled: "true"
+          gethomepage.dev/icon: authentik.png
+          gethomepage.dev/name: Authentik
+          gethomepage.dev/group: Infrastructure
+          gethomepage.dev/app: authentik
+          gethomepage.dev/description: OIDC User Management
+          gethomepage.dev/widget.type: authentik
+          gethomepage.dev/widget.url: http://authentik-server.security
+          gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_AUTHENTIK_TOKEN}}"
+          external-dns.alpha.kubernetes.io/target: external.${SECRET_DOMAIN}
+        hosts:
+          - sso.${SECRET_DOMAIN}
+    worker:
+      autoscaling:
+        enabled: true
+        minReplicas: 2
+    prometheus:
+      rules:
+        enabled: true

kubernetes/apps/security/authentik/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/gatus/external

kubernetes/apps/security/authentik/ks.yaml

@@ -0,0 +1,30 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app authentik
+  namespace: flux-system
+spec:
+  targetNamespace: security
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/security/authentik/app
+  prune: true
+  dependsOn:
+    - name: cloudnative-pg-cluster
+    - name: external-secrets-stores
+    - name: dragonfly
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  # add if you have volsync and\or gatus
+  postBuild:
+    substitute:
+      APP: *app
+      GATUS_SUBDOMAIN: sso

kubernetes/apps/security/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./alert.yaml
+  - ./authentik/ks.yaml