change key

clusters/cl01tl/monitoring/unpoller/templates/external-secret.yaml

@@ -18,13 +18,13 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /unifi/auth
+        key: /unifi/auth/cl01tl
         metadataPolicy: None
         property: user
     - secretKey: UP_UNIFI_CONTROLLER_0_PASS
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: /unifi/auth
+        key: /unifi/auth/cl01tl
         metadataPolicy: None
         property: password

clusters/cl01tl/platform/authentik/Chart.yaml

@@ -0,0 +1,35 @@
+apiVersion: v2
+name: authentik
+version: 1.0.0
+description: Authentik
+keywords:
+  - authentik
+  - sso
+  - oidc
+  - ldap
+  - idp
+  - authentication
+home: https://wiki.alexlebens.dev/doc/authentik-q2d4WDhqpe
+sources:
+  - https://github.com/goauthentik/authentik
+  - https://github.com/cloudflare/cloudflared
+  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/goauthentik/helm
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared
+  - https://github.com/alexlebens/helm-charts/tree/main/charts/postgres-cluster
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: authentik
+    version: 2024.12.3
+    repository: https://charts.goauthentik.io/
+  - name: cloudflared
+    alias: cloudflared
+    repository: http://alexlebens.github.io/helm-charts
+    version: 1.13.0
+  - name: postgres-cluster
+    alias: postgres-17-cluster
+    version: 4.1.4
+    repository: http://alexlebens.github.io/helm-charts
+icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/authentik.png
+appVersion: 2024.10.5

clusters/cl01tl/platform/authentik/templates/config-map.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authentik-custom-css
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ .Release.Name }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+data:
+  custom.css: |
+    /* Change sign button color */
+    .pf-c-button.pf-m-primary {
+      color: black;
+      background-color: white;
+    }
+
+    /* Remove background */
+    .pf-c-login__main {
+      background-color: rgba(3, 3, 3, 0.16);
+    }
+
+    /* Remove specific height */
+    .pf-c-brand {
+      height: auto;
+    }
+
+    /* Center text */
+    .pf-c-title {
+      text-align: center;
+    }
+
+    /* Match text field to login button */
+    .pf-c-form-control {
+      border-radius: 3px;
+      background-color: white;
+      color: black;
+    }
+
+    /* Force border color */
+    .pf-c-form-control {
+      border-color: white;
+    }
+
+    /* Use default cursor on this div */
+    .pf-c-form__label {
+      cursor: default;
+    }
+
+    /* Hide required asterik */
+    .pf-c-form__label-required {
+      display: none;
+    }
+
+    /* Change link color to white */
+    .a {
+      color: white;
+    }

clusters/cl01tl/platform/authentik/templates/external-secret.yaml

@@ -0,0 +1,80 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-key-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: key
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/authentik/key
+        metadataPolicy: None
+        property: key
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-cloudflared-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-cloudflared-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: cf-tunnel-token
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cloudflare/tunnels/authentik
+        metadataPolicy: None
+        property: token
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-postgresql-17-cluster-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-postgresql-17-cluster-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: database
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: access
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/postgres-backups
+        metadataPolicy: None
+        property: secret

clusters/cl01tl/platform/authentik/templates/ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik-local
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-local
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-issuer
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - authentik.alexlebens.net
+      secretName: authentik-tls-secret
+  rules:
+    - host: authentik.alexlebens.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: authentik-server
+                port:
+                  number: 80

clusters/cl01tl/platform/authentik/values.yaml

@@ -0,0 +1,83 @@
+authentik:
+  global:
+    env:
+      - name: AUTHENTIK_SECRET_KEY
+        valueFrom:
+          secretKeyRef:
+            name: authentik-key-secret
+            key: key
+      - name: AUTHENTIK_POSTGRESQL__HOST
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: host
+      - name: AUTHENTIK_POSTGRESQL__NAME
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: dbname
+      - name: AUTHENTIK_POSTGRESQL__USER
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: user
+      - name: AUTHENTIK_POSTGRESQL__PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: authentik-postgresql-17-cluster-app
+            key: password
+  server:
+    name: server
+    replicas: 1
+    volumes:
+      - name: custom-css
+        configMap:
+          name: authentik-custom-css
+    volumeMounts:
+      - name: custom-css
+        mountPath: /web/dist/custom.css
+        subPath: custom.css
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+    ingress:
+      enabled: true
+      ingressClassName: tailscale
+      annotations:
+        tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
+      hosts:
+        - auth-cl01tl
+      paths:
+        - /
+      tls:
+        - secretName: auth-cl01tl
+          hosts:
+            - auth-cl01tl
+  worker:
+    name: worker
+    replicas: 1
+  prometheus:
+    rules:
+      enabled: true
+  postgresql:
+    enabled: false
+  redis:
+    enabled: true
+cloudflared:
+  existingSecretName: authentik-cloudflared-secret
+postgres-17-cluster:
+  mode: standalone
+  cluster:
+    walStorage:
+      storageClass: local-path
+    storage:
+      storageClass: local-path
+    monitoring:
+      enabled: true
+  backup:
+    enabled: true
+    endpointURL: https://nyc3.digitaloceanspaces.com
+    destinationPath: s3://postgres-backups-ce540ddf106d186bbddca68a/cl01tl/authentik/authentik-postgresql-17-cluster
+    endpointCredentials: authentik-postgresql-17-cluster-backup-secret
+    backupIndex: 1