feat: Authentik | set up authentik + dependencies

Includes redis and changes to pihole, nginx, prometheus and gitea

helm/values/authentik.values.yaml

@@ -0,0 +1,63 @@
+global:
+  addPrometheusAnnotations: true
+
+authentik:
+  secret_key: "c8cc2e4a498c697a0443d96b31fe042c69c2158dc8bfb3da3878d1dbfbe6128e"
+  error_reporting:
+    enabled: false
+  postgresql:
+    host: postgres-cluster-rw.postgres-system.svc.cluster.local
+    user: file:///postgres-creds/username
+    password: file:///postgres-creds/password
+  redis:
+    host: redis-master.redis-system.svc.cluster.local
+    password: file:///redis-creds/password
+
+server:
+  ingress:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cloudflare-issuer
+      cert-manager.io/acme-challenge-type: dns01
+      cert-manager.io/private-key-size: "4096"
+    ingressClassName: nginx-internal
+    hosts:
+      - auth.dogar.dev
+    tls:
+      - secretName: authentik-tls
+        hosts:
+          - auth.dogar.dev
+  volumes:
+    - name: postgres-creds
+      secret:
+        secretName: authentik-postgres
+    - name: redis-creds
+      secret:
+        secretName: authentik-redis
+  volumeMounts:
+    - name: postgres-creds
+      mountPath: /postgres-creds
+      readOnly: true
+    - name: redis-creds
+      mountPath: /redis-creds
+      readOnly: true
+worker:
+  volumes:
+    - name: postgres-creds
+      secret:
+        secretName: authentik-postgres
+    - name: redis-creds
+      secret:
+        secretName: authentik-redis
+  volumeMounts:
+    - name: postgres-creds
+      mountPath: /postgres-creds
+      readOnly: true
+    - name: redis-creds
+      mountPath: /redis-creds
+      readOnly: true
+    
+postgresql:
+    enabled: false
+redis:
+    enabled: false

helm/values/gitea.values.yaml

@@ -13,6 +13,7 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: cloudflare-issuer
     cert-manager.io/private-key-algorithm: ED25519
+    cert-manager.io/acme-challenge-type: dns01
   hosts:
     - host: git.dogar.dev
       paths:
@@ -53,6 +54,15 @@ gitea:
       STORAGE_TYPE: local
     service:
       DISABLE_REGISTRATION: true
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
+  oauth:
+    - name: "authentik"
+      provider: "openidConnect"
+      existingSecret: gitea-oauth
+      autoDiscoverUrl: "https://auth.dogar.dev/application/o/gitea/.well-known/openid-configuration"
+      iconUrl: "https://goauthentik.io/img/icon.png"
+      scopes: "email profile"
   additionalConfigFromEnvs:
     - name: GITEA__DATABASE__PASSWD
       valueFrom:

helm/values/nginx-internal.values.yaml

@@ -6,9 +6,6 @@ controller:
     controllerValue: "k8s.io/ingress-nginx"
     parameters: {}
   ingressClass: nginx-internal
-  service:
-    annotations:
-      external-dns.alpha.kubernetes.io/hostname: "postgres.home,postgres.dogar.dev"
 tcp:
   22:   "gitea-system/gitea-ssh:22"
   5432: "postgres-system/postgres-cluster-rw:5432"

helm/values/pihole.values.yaml

@@ -10,7 +10,7 @@ admin:
 persistentVolumeClaim:
   enabled: true
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
 ingress:
   enabled: true
   annotations:
@@ -35,7 +35,6 @@ serviceDns:
   annotations:
     metallb.universe.tf/allow-shared-ip: pihole-svc
   type: LoadBalancer
-replicaCount: 3
 podAnnotations:
   prometheus.io/scrape: "true"
   prometheus.io/port: "9617"

helm/values/prometheus.values.yaml

@@ -1,10 +1,16 @@
 grafana:
   enabled: true
+  service:
+    type: LoadBalancer
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: grafana.dogar.dev
   ingress:
     enabled: true
     ingressClassName: nginx-internal
     annotations:
       cert-manager.io/cluster-issuer: cloudflare-issuer
+      cert-manager.io/private-key-algorithm: ED25519
+      cert-manager.io/acme-challenge-type: dns01
     hosts:
       - grafana.dogar.dev
     tls:

helm/values/redis.values.yaml

@@ -0,0 +1,23 @@
+architecture: standalone
+
+auth:
+  enabled: true
+  sentinel: true
+  existingSecret: redis
+  existingSecretPasswordKey: password
+
+master:
+  persistence:
+    enabled: false
+  service:
+    type: LoadBalancer
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: redis.dogar.dev
+
+replica:
+  replicaCount: 0
+  persistence:
+    enabled: false
+
+sentinel:
+  enabled: false