diff --git a/clusters/cl01tl/monitoring/unpoller/templates/external-secret.yaml b/clusters/cl01tl/monitoring/unpoller/templates/external-secret.yaml index 9e6f7fa9f..2785c2ecf 100644 --- a/clusters/cl01tl/monitoring/unpoller/templates/external-secret.yaml +++ b/clusters/cl01tl/monitoring/unpoller/templates/external-secret.yaml @@ -18,13 +18,13 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /unifi/auth + key: /unifi/auth/cl01tl metadataPolicy: None property: user - secretKey: UP_UNIFI_CONTROLLER_0_PASS remoteRef: conversionStrategy: Default decodingStrategy: None - key: /unifi/auth + key: /unifi/auth/cl01tl metadataPolicy: None property: password diff --git a/clusters/cl01tl/platform/authentik/Chart.yaml b/clusters/cl01tl/platform/authentik/Chart.yaml new file mode 100644 index 000000000..c319ca94f --- /dev/null +++ b/clusters/cl01tl/platform/authentik/Chart.yaml @@ -0,0 +1,35 @@ +apiVersion: v2 +name: authentik +version: 1.0.0 +description: Authentik +keywords: + - authentik + - sso + - oidc + - ldap + - idp + - authentication +home: https://wiki.alexlebens.dev/doc/authentik-q2d4WDhqpe +sources: + - https://github.com/goauthentik/authentik + - https://github.com/cloudflare/cloudflared + - https://github.com/cloudnative-pg/cloudnative-pg + - https://github.com/goauthentik/helm + - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared + - https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster +maintainers: + - name: alexlebens +dependencies: + - name: authentik + version: 2024.12.3 + repository: https://charts.goauthentik.io/ + - name: cloudflared + alias: cloudflared + repository: http://alexlebens.github.io/helm-charts + version: 1.13.0 + - name: postgres-cluster + alias: postgres-17-cluster + version: 4.1.4 + repository: http://alexlebens.github.io/helm-charts +icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/authentik.png +appVersion: 2024.10.5 diff --git a/clusters/cl01tl/platform/authentik/templates/config-map.yaml b/clusters/cl01tl/platform/authentik/templates/config-map.yaml new file mode 100644 index 000000000..f749d50f5 --- /dev/null +++ b/clusters/cl01tl/platform/authentik/templates/config-map.yaml @@ -0,0 +1,60 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: authentik-custom-css + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +data: + custom.css: | + /* Change sign button color */ + .pf-c-button.pf-m-primary { + color: black; + background-color: white; + } + + /* Remove background */ + .pf-c-login__main { + background-color: rgba(3, 3, 3, 0.16); + } + + /* Remove specific height */ + .pf-c-brand { + height: auto; + } + + /* Center text */ + .pf-c-title { + text-align: center; + } + + /* Match text field to login button */ + .pf-c-form-control { + border-radius: 3px; + background-color: white; + color: black; + } + + /* Force border color */ + .pf-c-form-control { + border-color: white; + } + + /* Use default cursor on this div */ + .pf-c-form__label { + cursor: default; + } + + /* Hide required asterik */ + .pf-c-form__label-required { + display: none; + } + + /* Change link color to white */ + .a { + color: white; + } diff --git a/clusters/cl01tl/platform/authentik/templates/external-secret.yaml b/clusters/cl01tl/platform/authentik/templates/external-secret.yaml new file mode 100644 index 000000000..17ba4cf91 --- /dev/null +++ b/clusters/cl01tl/platform/authentik/templates/external-secret.yaml @@ -0,0 +1,80 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authentik-key-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: authentik-key-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: key + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/authentik/key + metadataPolicy: None + property: key + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authentik-cloudflared-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: authentik-cloudflared-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: cf-tunnel-token + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cloudflare/tunnels/authentik + metadataPolicy: None + property: token + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authentik-postgresql-17-cluster-backup-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: database + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: access + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/postgres-backups + metadataPolicy: None + property: secret diff --git a/clusters/cl01tl/platform/authentik/templates/ingress.yaml b/clusters/cl01tl/platform/authentik/templates/ingress.yaml new file mode 100644 index 000000000..b0a72161e --- /dev/null +++ b/clusters/cl01tl/platform/authentik/templates/ingress.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authentik-local + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: authentik-local + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: letsencrypt-issuer +spec: + ingressClassName: traefik + tls: + - hosts: + - authentik.alexlebens.net + secretName: authentik-tls-secret + rules: + - host: authentik.alexlebens.net + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: authentik-server + port: + number: 80 diff --git a/clusters/cl01tl/platform/authentik/values.yaml b/clusters/cl01tl/platform/authentik/values.yaml new file mode 100644 index 000000000..52e3f22c5 --- /dev/null +++ b/clusters/cl01tl/platform/authentik/values.yaml @@ -0,0 +1,83 @@ +authentik: + global: + env: + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: authentik-key-secret + key: key + - name: AUTHENTIK_POSTGRESQL__HOST + valueFrom: + secretKeyRef: + name: authentik-postgresql-17-cluster-app + key: host + - name: AUTHENTIK_POSTGRESQL__NAME + valueFrom: + secretKeyRef: + name: authentik-postgresql-17-cluster-app + key: dbname + - name: AUTHENTIK_POSTGRESQL__USER + valueFrom: + secretKeyRef: + name: authentik-postgresql-17-cluster-app + key: user + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: authentik-postgresql-17-cluster-app + key: password + server: + name: server + replicas: 1 + volumes: + - name: custom-css + configMap: + name: authentik-custom-css + volumeMounts: + - name: custom-css + mountPath: /web/dist/custom.css + subPath: custom.css + metrics: + enabled: true + serviceMonitor: + enabled: true + ingress: + enabled: true + ingressClassName: tailscale + annotations: + tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" + hosts: + - auth-cl01tl + paths: + - / + tls: + - secretName: auth-cl01tl + hosts: + - auth-cl01tl + worker: + name: worker + replicas: 1 + prometheus: + rules: + enabled: true + postgresql: + enabled: false + redis: + enabled: true +cloudflared: + existingSecretName: authentik-cloudflared-secret +postgres-17-cluster: + mode: standalone + cluster: + walStorage: + storageClass: local-path + storage: + storageClass: local-path + monitoring: + enabled: true + backup: + enabled: true + endpointURL: https://nyc3.digitaloceanspaces.com + destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster + endpointCredentials: authentik-postgresql-17-cluster-backup-secret + backupIndex: 1