From d0894d53a875d3021e1ed586a1bb9aa8b02ec755 Mon Sep 17 00:00:00 2001 From: Daniele De Lorenzi Date: Sat, 6 Jan 2024 14:11:27 +0100 Subject: [PATCH 1/2] Deploy Authentik as SSO, this is a test instance Signed-off-by: Daniele De Lorenzi --- apps/kubenuc/postgresql/manifests/db.yaml | 4 -- apps/kubenuc/sso/release.yml | 71 +++++++++++++++++++++ apps/kubenuc/sso/secrets.yaml | 12 ++++ apps/kubenuc/sso/secrets/kustomization.yaml | 5 ++ apps/kubenuc/sso/secrets/sso-secret.yml | 6 ++ charts/goauthentik.yml | 10 +++ charts/kustomization.yaml | 1 + 7 files changed, 105 insertions(+), 4 deletions(-) create mode 100644 apps/kubenuc/sso/release.yml create mode 100644 apps/kubenuc/sso/secrets.yaml create mode 100644 apps/kubenuc/sso/secrets/kustomization.yaml create mode 100644 apps/kubenuc/sso/secrets/sso-secret.yml create mode 100644 charts/goauthentik.yml diff --git a/apps/kubenuc/postgresql/manifests/db.yaml b/apps/kubenuc/postgresql/manifests/db.yaml index b357f444..bc379de4 100644 --- a/apps/kubenuc/postgresql/manifests/db.yaml +++ b/apps/kubenuc/postgresql/manifests/db.yaml @@ -9,9 +9,5 @@ spec: size: 10Gi storageClass: "longhorn" numberOfInstances: 3 - users: - daniele: - - superuser - - createdb postgresql: version: "15" diff --git a/apps/kubenuc/sso/release.yml b/apps/kubenuc/sso/release.yml new file mode 100644 index 00000000..3b90617a --- /dev/null +++ b/apps/kubenuc/sso/release.yml @@ -0,0 +1,71 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: authentik + namespace: sso +spec: + interval: 15m + maxHistory: 20 + chart: + spec: + chart: authentik + sourceRef: + kind: HelmRepository + name: goauthentik-chart + namespace: flux-system + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + values: + authentik: + # This sends anonymous usage-data, stack traces on errors and + # performance data to sentry.io, and is fully opt-in + error_reporting: + enabled: false + + envValueFrom: + PG_PASS: + secretKeyRef: + key: PG_PASS + name: sso-secrets + AUTHENTIK_SECRET_KEY: + secretKeyRef: + key: AUTHENTIK_SECRET_KEY + name: sso-secrets + AUTHENTIK_POSTGRESQL__HOST: + secretKeyRef: + key: PG_HOST + name: sso-secrets + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + key: PG_PASS + name: sso-secrets + + ingress: + ingressClassName: nginx + enabled: true + hosts: + - host: sso.ddlns.net + paths: + - path: "/" + pathType: Prefix + annotations: + cert-manager.io/cluster-issuer: "letsencrypt" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + tls: + - secretName: sso-tls + hosts: + - sso.ddlns.net + + postgresql: + enabled: false + + redis: + enabled: true diff --git a/apps/kubenuc/sso/secrets.yaml b/apps/kubenuc/sso/secrets.yaml new file mode 100644 index 00000000..4edd67bb --- /dev/null +++ b/apps/kubenuc/sso/secrets.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: sso-secrets + namespace: flux-system +spec: + interval: 15m + sourceRef: + kind: GitRepository + name: flux-system + path: ./apps/kubenuc/sso/secrets + prune: true diff --git a/apps/kubenuc/sso/secrets/kustomization.yaml b/apps/kubenuc/sso/secrets/kustomization.yaml new file mode 100644 index 00000000..bd2c94bc --- /dev/null +++ b/apps/kubenuc/sso/secrets/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: sso +resources: +- sso-secret.yml diff --git a/apps/kubenuc/sso/secrets/sso-secret.yml b/apps/kubenuc/sso/secrets/sso-secret.yml new file mode 100644 index 00000000..1b699b6c --- /dev/null +++ b/apps/kubenuc/sso/secrets/sso-secret.yml @@ -0,0 +1,6 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: sso-secrets +spec: + itemPath: "vaults/k8s_secrets/items/sso_keys" diff --git a/charts/goauthentik.yml b/charts/goauthentik.yml new file mode 100644 index 00000000..d3387dd0 --- /dev/null +++ b/charts/goauthentik.yml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: goauthentik-chart + namespace: flux-system +spec: + interval: 1h + url: https://charts.goauthentik.io + timeout: 3m diff --git a/charts/kustomization.yaml b/charts/kustomization.yaml index 274ffce8..18dcf99a 100644 --- a/charts/kustomization.yaml +++ b/charts/kustomization.yaml @@ -6,6 +6,7 @@ resources: - bitnami.yml - cetic.yml - crowdsec.yml + - goauthentik.yml - harbor.yml - ingress-nginx.yml - longhorn.yml From 913ac403eb01f97964b989fcdac220265ffc6b40 Mon Sep 17 00:00:00 2001 From: Daniele De Lorenzi Date: Sat, 6 Jan 2024 14:35:13 +0100 Subject: [PATCH 2/2] Add init container for initialize the DB Signed-off-by: Daniele De Lorenzi --- apps/kubenuc/sso/release.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/apps/kubenuc/sso/release.yml b/apps/kubenuc/sso/release.yml index 3b90617a..5a61e190 100644 --- a/apps/kubenuc/sso/release.yml +++ b/apps/kubenuc/sso/release.yml @@ -23,6 +23,26 @@ spec: remediation: retries: 5 values: + initContainers: + - name: init-db + image: postgres:15 + imagePullPolicy: Always + command: ["psql", "-h", "${AUTHENTIK_POSTGRESQL__HOST}", "--command"] + args: + - | + CREATE DATABASE authentik; + CREATE USER authentik WITH ENCRYPTED PASSWORD '${AUTHENTIK_POSTGRESQL__PASSWORD}'; + GRANT ALL PRIVILEGES ON DATABASE authentik TO authentik; + envValueFrom: + AUTHENTIK_POSTGRESQL__HOST: + secretKeyRef: + key: PG_HOST + name: sso-secrets + AUTHENTIK_POSTGRESQL__PASSWORD: + secretKeyRef: + key: PG_PASS + name: sso-secrets + authentik: # This sends anonymous usage-data, stack traces on errors and # performance data to sentry.io, and is fully opt-in