shahab/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Authentik | use IngressRoute instead of Ingress

Browse Source
This commit is contained in:
Shahab Dogar
2025-11-22 18:04:54 +05:00
parent ed8b6403cd
commit 3b439344f5
5 changed files with 14 additions and 283 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
helm/values/authentik.values.yaml
View File

@@ -1,110 +0,0 @@
global:
addPrometheusAnnotations: true
securityContext:
runAsUser: 1000
fsGroup: 1000
podLabels:
app: authentik
nodeSelector:
nodepool: worker
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: authentik
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-secret-key
key: password
- name: AUTHENTIK_EMAIL__USERNAME
valueFrom:
secretKeyRef:
name: smtp-token
key: authentik-username
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: smtp-token
key: authentik-password
- name: AUTHENTIK_EMAIL__FROM
valueFrom:
secretKeyRef:
name: smtp-token
key: authentik-username
- name: AUTHENTIK_EMAIL__USE_TLS
value: "true"
- name: AUTHENTIK_POSTGRESQL__SSLMODE
value: verify-full
- name: AUTHENTIK_POSTGRESQL__SSLROOTCERT
value: "/opt/authentik/certs/ca.crt"
- name: AUTHENTIK_POSTGRESQL__SSLCERT
value: "/opt/authentik/certs/tls.crt"
- name: AUTHENTIK_POSTGRESQL__SSLKEY
value: "/opt/authentik/certs/tls.key"
- name: AUTHENTIK_REDIS__PASSWORD
valueFrom:
secretKeyRef:
name: valkey
key: password
volumes:
- name: ssl-bundle
projected:
sources:
- secret:
name: authentik-client-cert
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
mode: 0600
- secret:
name: postgres-server-cert
items:
- key: ca.crt
path: ca.crt
volumeMounts:
- name: ssl-bundle
mountPath: /opt/authentik/certs
readOnly: true
authentik:
error_reporting:
enabled: false
email:
host: "smtp.protonmail.ch"
port: 587
postgresql:
host: postgres-cluster-rw
user: authentik
name: authentik
redis:
host: valkey
server:
replicas: 3
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
ingressClassName: traefik
hosts:
- auth.dogar.dev
tls:
- secretName: authentik-tls
hosts:
- auth.dogar.dev
worker:
replicas: 3
postgresql:
enabled: false
redis:
enabled: false

161
helm/values/gitea.values.yaml
View File

@@ -1,161 +0,0 @@
global:
storageClass: longhorn
image:
rootless: false
service:
http:
annotations:
metallb.universe.tf/allow-shared-ip: gitea
ssh:
annotations:
metallb.universe.tf/allow-shared-ip: gitea
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: 4096
className: traefik
hosts:
- host: git.dogar.dev
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls
hosts:
- git.dogar.dev
gitea:
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "6060"
admin:
existingSecret: gitea-admin
metrics:
enabled: true
serviceMonitor:
enabled: true
config:
server:
ENABLE_PPROF: true
ENABLE_GZIP: true
LFS_START_SERVER: true
SSH_DOMAIN: git.dogar.dev
database:
DB_TYPE: postgres
HOST: postgres-cluster-rw
NAME: gitea
USER: gitea
SSL_MODE: verify-full
metrics:
ENABLED: true
cache:
ADAPTER: memory
session:
PROVIDER: db
PROVIDER_CONFIG: ""
queue:
TYPE: channel
storage:
STORAGE_TYPE: minio
MINIO_USE_SSL: true
MINIO_BUCKET_LOOKUP_STYLE: path
MINIO_LOCATION: auto
service:
DISABLE_REGISTRATION: true
oauth2_client:
ENABLE_AUTO_REGISTRATION: true
mailer:
ENABLED: true
PROTOCOL: smtp+starttls
SMTP_ADDR: smtp.protonmail.ch
SMTP_PORT: 587
FROM: git@dogar.dev
picture:
GRAVATAR_SOURCE: gravatar
oauth:
- name: "authentik"
provider: "openidConnect"
existingSecret: gitea-oauth
autoDiscoverUrl: "https://auth.dogar.dev/application/o/gitea/.well-known/openid-configuration"
iconUrl: "https://goauthentik.io/img/icon.png"
scopes: "email profile"
additionalConfigFromEnvs:
- name: GITEA__MAILER__PASSWD
valueFrom:
secretKeyRef:
name: smtp-token
key: gitea-password
- name: GITEA__PACKAGES__CHUNKED_UPLOAD_PATH
value: "/tmp/gitea-uploads"
- name: GITEA__PACKAGES__CHUNKED_UPLOAD_CONCURRENCY
value: "4"
- name: GITEA__STORAGE__MINIO_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: cloudflare-token
key: access_key_id
- name: GITEA__STORAGE__MINIO_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: cloudflare-token
key: secret_access_key
persistence:
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
enabled: true
size: 50Gi
accessModes:
- ReadWriteMany
deployment:
env:
- name: PGSSLMODE
value: verify-full
- name: PGSSLROOTCERT
value: /opt/gitea/.postgresql/root.crt
- name: PGSSLCERT
value: /opt/gitea/.postgresql/postgresql.crt
- name: PGSSLKEY
value: /opt/gitea/.postgresql/postgresql.key
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 6
memory: 6Gi
extraVolumes:
- name: ssl-bundle
projected:
sources:
- secret:
name: gitea-client-cert
items:
- key: tls.crt
path: postgresql.crt
- key: tls.key
path: postgresql.key
mode: 0600
- secret:
name: postgres-server-cert
items:
- key: ca.crt
path: root.crt
- name: gitea-temp
emptyDir: {}
extraInitVolumeMounts:
- name: ssl-bundle
mountPath: /opt/gitea/.postgresql
readOnly: true
extraContainerVolumeMounts:
- name: ssl-bundle
mountPath: /opt/gitea/.postgresql
readOnly: true
readOnly: true
- name: gitea-temp
mountPath: /tmp/gitea-uploads
postgresql-ha:
enabled: false
valkey-cluster:
enabled: false

10
k8s-operators/prometheus/index.ts
View File

@@ -2,7 +2,7 @@ import * as fs from "fs";
import * as path from "path"; import * as path from "path";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
import { CloudflareCertificate, IngressRoute } from "../../utils"; import { IngressRoute } from "../../utils";
import { Providers } from "../../types"; import { Providers } from "../../types";
type PrometheusOptions = { type PrometheusOptions = {
@@ -18,14 +18,6 @@ export class Prometheus extends Construct {
const { helm, kubernetes } = options.providers; const { helm, kubernetes } = options.providers;
new CloudflareCertificate(this, "certificate", {
provider: kubernetes,
name: "grafana",
namespace: options.namespace,
dnsNames: ["grafana.dogar.dev"],
secretName: "grafana-tls",
});
new IngressRoute(this, "ingress", { new IngressRoute(this, "ingress", {
provider: kubernetes, provider: kubernetes,
name: "grafana", name: "grafana",

14
utility-services/authentik/index.ts
View File

@@ -2,7 +2,7 @@ import * as fs from "fs";
import * as path from "path"; import * as path from "path";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
import { OnePasswordSecret } from "../../utils"; import { IngressRoute, OnePasswordSecret } from "../../utils";
import { Providers } from "../../types"; import { Providers } from "../../types";
type AuthentikServerOptions = { type AuthentikServerOptions = {
@@ -42,6 +42,16 @@ export class AuthentikServer extends Construct {
encoding: "utf8", encoding: "utf8",
}), }),
], ],
}).importFrom("homelab/authentik"); });
new IngressRoute(this, "ingress", {
provider: kubernetes,
name: options.name,
namespace: options.namespace,
host: "auth.dogar.dev",
serviceName: `authentik-server`,
servicePort: 80,
tlsSecretName: "authentik-tls",
});
} }
} }

2
utility-services/authentik/values.yaml
View File

@@ -88,7 +88,7 @@ authentik:
server: server:
replicas: 3 replicas: 3
ingress: ingress:
enabled: true enabled: false
annotations: annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01 cert-manager.io/acme-challenge-type: dns01