alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Activity

Automated Manifest Update (#4474)

Browse Source 
This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: #4474
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
This commit was merged in pull request #4474.
This commit is contained in:
gitea-bot
2026-03-06 05:47:29 +00:00
committed by Alex Lebens
parent de17c88900
commit 214c91b11c
15 changed files with 413 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
clusters/cl01tl/manifests/authentik/ConfigMap-authentik-valkey-init-scripts.yaml Normal file
View File

@@ -0,0 +1,87 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: authentik-valkey-init-scripts
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
data:
init.sh: |-
#!/bin/sh
set -eu
# Default config paths
VALKEY_CONFIG=${VALKEY_CONFIG_PATH:-/data/conf/valkey.conf}
LOGFILE="/data/init.log"
DATA_DIR="/data/conf"
# Logging function (outputs to stderr and file)
log() {
echo "$(date) $1" | tee -a "$LOGFILE" >&2
}
# Clean old log if requested
if [ "${KEEP_OLD_LOGS:-false}" != "true" ]; then
rm -f "$LOGFILE"
fi
if [ -f "$LOGFILE" ]; then
log "Detected restart of this instance ($HOSTNAME)"
fi
log "Creating configuration in $DATA_DIR..."
mkdir -p "$DATA_DIR"
rm -f "$VALKEY_CONFIG"
# Base valkey.conf
log "Generating base valkey.conf"
{
echo "port 6379"
echo "protected-mode no"
echo "bind * -::*"
echo "dir /data"
} >>"$VALKEY_CONFIG"
# Replica mode configuration
log "Configuring replication mode"
# Use POD_INDEX from Kubernetes metadata
POD_INDEX=${POD_INDEX:-0}
IS_MASTER=false
# Check if this is pod-0 (master)
if [ "$POD_INDEX" = "0" ]; then
IS_MASTER=true
log "This pod (index $POD_INDEX) is configured as MASTER"
else
log "This pod (index $POD_INDEX) is configured as REPLICA"
fi
# Configure replica settings
if [ "$IS_MASTER" = "false" ]; then
MASTER_HOST="authentik-valkey-0.authentik-valkey-headless.authentik.svc.cluster.local"
MASTER_PORT="6379"
log "Configuring replica to follow master at $MASTER_HOST:$MASTER_PORT"
{
echo ""
echo "# Replica Configuration"
echo "replicaof $MASTER_HOST $MASTER_PORT"
echo "replica-announce-ip authentik-valkey-$POD_INDEX.authentik-valkey-headless.authentik.svc.cluster.local"
} >>"$VALKEY_CONFIG"
fi
# Append extra configs if present
if [ -f /usr/local/etc/valkey/valkey.conf ]; then
log "Appending /usr/local/etc/valkey/valkey.conf"
cat /usr/local/etc/valkey/valkey.conf >>"$VALKEY_CONFIG"
fi
if [ -d /extravalkeyconfigs ]; then
log "Appending files in /extravalkeyconfigs/"
cat /extravalkeyconfigs/* >>"$VALKEY_CONFIG"
fi

2
clusters/cl01tl/manifests/authentik/Deployment-authentik-server.yaml
View File

@@ -30,7 +30,7 @@ spec:
app.kubernetes.io/part-of: "authentik"
app.kubernetes.io/version: "2026.2.1"
annotations:
checksum/secret: 1e598a49859367f98c6a1e0a1b225a7826531a6f5776542428134a486762c59b
checksum/secret: e52441637b77f4baccf56d0c193e99c35c2eeef6b6c753a17e45254ca6b20e18
spec:
terminationGracePeriodSeconds: 30
containers:

2
clusters/cl01tl/manifests/authentik/Deployment-authentik-worker.yaml
View File

@@ -30,7 +30,7 @@ spec:
app.kubernetes.io/part-of: "authentik"
app.kubernetes.io/version: "2026.2.1"
annotations:
checksum/secret: 1e598a49859367f98c6a1e0a1b225a7826531a6f5776542428134a486762c59b
checksum/secret: e52441637b77f4baccf56d0c193e99c35c2eeef6b6c753a17e45254ca6b20e18
spec:
serviceAccountName: authentik
terminationGracePeriodSeconds: 30

23
clusters/cl01tl/manifests/authentik/PodMonitor-authentik-valkey.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: authentik-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: podmonitor
spec:
podMetricsEndpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- authentik
selector:
matchLabels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik

47
clusters/cl01tl/manifests/authentik/PrometheusRule-authentik-valkey.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: authentik-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
spec:
groups:
- name: authentik-valkey
rules:
- alert: ValkeyDown
annotations:
description: Valkey instance {{ $labels.instance }} is down.
summary: Valkey instance {{ $labels.instance }} down
expr: |
redis_up{service="authentik-valkey-metrics"} == 0
for: 2m
labels:
severity: error
- alert: ValkeyMemoryHigh
annotations:
description: |
Valkey instance {{ $labels.instance }} is using {{ $value }}% of its available memory.
summary: Valkey instance {{ $labels.instance }} is using too much memory
expr: |
redis_memory_used_bytes{service="authentik-valkey-metrics"} * 100
/
redis_memory_max_bytes{service="authentik-valkey-metrics"}
> 90 <= 100
for: 2m
labels:
severity: error
- alert: ValkeyKeyEviction
annotations:
description: |
Valkey instance {{ $labels.instance }} has evicted {{ $value }} keys in the last 5 minutes.
summary: Valkey instance {{ $labels.instance }} has evicted keys
expr: |
increase(redis_evicted_keys_total{service="authentik-valkey-metrics"}[5m]) > 0
for: 1s
labels:
severity: error

44
clusters/cl01tl/manifests/authentik/RedisReplication-redis-replication-authentik.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: redis.redis.opstreelabs.in/v1beta2
kind: RedisReplication
metadata:
name: redis-replication-authentik
namespace: authentik
labels:
helm.sh/chart: redis-replication-1.0.4
app.kubernetes.io/version: "1.0.4"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: authentik
app.kubernetes.io/part-of: authentik
spec:
clusterSize: 3
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
kubernetesConfig:
image: "quay.io/opstree/redis:v8.4.0"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 10m
memory: 32Mi
storage:
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: ceph-block
redisExporter:
enabled: true
image: "quay.io/opstree/redis-exporter:v1.80.2"
sentinel:
image: "quay.io/opstree/redis-sentinel:v8.4.0"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 10m
memory: 32Mi
size: 3

2
clusters/cl01tl/manifests/authentik/Secret-authentik.yaml
View File

@@ -27,5 +27,5 @@ data:
AUTHENTIK_POSTGRESQL__NAME: "YXV0aGVudGlr"
AUTHENTIK_POSTGRESQL__PORT: "NTQzMg=="
AUTHENTIK_POSTGRESQL__USER: "YXV0aGVudGlr"
AUTHENTIK_REDIS__HOST: "cmVkaXMtcmVwbGljYXRpb24tYXV0aGVudGlrLW1hc3Rlcg=="
AUTHENTIK_REDIS__HOST: "YXV0aGVudGlrLXZhbGtleQ=="
AUTHENTIK_WEB__PATH: "Lw=="

23
clusters/cl01tl/manifests/authentik/Service-authentik-valkey-headless.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: authentik-valkey-headless
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: headless
spec:
type: ClusterIP
clusterIP: None
publishNotReadyAddresses: true
ports:
- name: tcp
port: 6379
targetPort: tcp
protocol: TCP
selector:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik

23
clusters/cl01tl/manifests/authentik/Service-authentik-valkey-metrics.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: v1
kind: Service
metadata:
name: authentik-valkey-metrics
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: metrics
app.kubernetes.io/part-of: valkey
annotations:
spec:
type: ClusterIP
ports:
- name: metrics
port: 9121
protocol: TCP
targetPort: metrics
selector:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik

21
clusters/cl01tl/manifests/authentik/Service-authentik-valkey-read.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: authentik-valkey-read
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: read
spec:
type: ClusterIP
ports:
- name: tcp
port: 6379
targetPort: tcp
protocol: TCP
selector:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik

22
clusters/cl01tl/manifests/authentik/Service-authentik-valkey.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: Service
metadata:
name: authentik-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/component: primary
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: tcp
protocol: TCP
name: tcp
selector:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
statefulset.kubernetes.io/pod-name: authentik-valkey-0

11
clusters/cl01tl/manifests/authentik/ServiceAccount-authentik-valkey.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: authentik-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: false

24
clusters/cl01tl/manifests/authentik/ServiceMonitor-authentik-valkey.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: authentik-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: valkey
app.kubernetes.io/component: service-monitor
spec:
endpoints:
- port: metrics
interval: 30s
namespaceSelector:
matchNames:
- authentik
selector:
matchLabels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/component: metrics

22
clusters/cl01tl/manifests/authentik/ServiceMonitor-redis-replication-authentik.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: redis-replication-authentik
namespace: authentik
labels:
helm.sh/chart: redis-replication-1.0.4
app.kubernetes.io/version: "1.0.4"
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis-replication-authentik
app.kubernetes.io/instance: authentik
app.kubernetes.io/part-of: authentik
spec:
selector:
matchLabels:
app: redis-replication-authentik
redis_setup_type: replication
role: replication
endpoints:
- port: redis-exporter
interval: 30s
scrapeTimeout: 10s

129
clusters/cl01tl/manifests/authentik/StatefulSet-authentik-valkey.yaml Normal file
View File

@@ -0,0 +1,129 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: authentik-valkey
labels:
helm.sh/chart: valkey-0.9.3
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
app.kubernetes.io/version: "9.0.3"
app.kubernetes.io/managed-by: Helm
spec:
serviceName: authentik-valkey-headless
replicas: 3
podManagementPolicy: OrderedReady
selector:
matchLabels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
volumeClaimTemplates:
- metadata:
name: valkey-data
spec:
accessModes:
- ReadWriteOnce
storageClassName: "ceph-block"
resources:
requests:
storage: "1Gi"
template:
metadata:
labels:
app.kubernetes.io/name: valkey
app.kubernetes.io/instance: authentik
annotations:
checksum/initconfig: "07891dc8f81b4fb3516e2993c6e827b1"
spec:
automountServiceAccountToken: false
serviceAccountName: authentik-valkey
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
initContainers:
- name: authentik-valkey-init
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
command: ["/scripts/init.sh"]
env:
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
volumeMounts:
- name: valkey-data
mountPath: /data
- name: scripts
mountPath: /scripts
containers:
- name: authentik-valkey
image: docker.io/valkey/valkey:9.0.3
imagePullPolicy: IfNotPresent
command: ["valkey-server"]
args: ["/data/conf/valkey.conf"]
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
env:
- name: POD_INDEX
valueFrom:
fieldRef:
fieldPath: metadata.labels['apps.kubernetes.io/pod-index']
- name: VALKEY_LOGLEVEL
value: "notice"
ports:
- name: tcp
containerPort: 6379
protocol: TCP
startupProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
livenessProbe:
exec:
command: ["sh", "-c", "valkey-cli ping"]
resources:
requests:
cpu: 10m
memory: 128Mi
volumeMounts:
- name: valkey-data
mountPath: /data
- name: metrics
image: ghcr.io/oliver006/redis_exporter:v1.81.0
imagePullPolicy: "IfNotPresent"
ports:
- name: metrics
containerPort: 9121
startupProbe:
tcpSocket:
port: metrics
livenessProbe:
tcpSocket:
port: metrics
readinessProbe:
httpGet:
path: /
port: metrics
resources:
requests:
cpu: 10m
memory: 64M
env:
- name: REDIS_ALIAS
value: authentik-valkey
volumes:
- name: scripts
configMap:
name: authentik-valkey-init-scripts
defaultMode: 0555