feat: Authentik | set up authentik + dependencies

Includes redis and changes to pihole, nginx, prometheus and gitea

1password/secrets.yaml

@@ -68,3 +68,43 @@ metadata:
     operator.1password.io/auto-restart: "true"
 spec:
   itemPath: "vaults/Lab/items/Cloudflare"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: authentik-postgres
+  namespace: authentik-system
+  annotations:
+    operator.1password.io/auto-restart: "true"
+spec:
+  itemPath: "vaults/Lab/items/authentik-postgres"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: redis
+  namespace: redis-system
+  annotations:
+    operator.1password.io/auto-restart: "true"
+spec:
+  itemPath: "vaults/Lab/items/redis"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: authentik-redis
+  namespace: authentik-system
+  annotations:
+    operator.1password.io/auto-restart: "true"
+spec:
+  itemPath: "vaults/Lab/items/redis"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: gitea-oauth
+  namespace: gitea-system
+  annotations:
+    operator.1password.io/auto-restart: "true"
+spec:
+  itemPath: "vaults/Lab/items/gitea-oauth"

helm/helmfile.yaml

@@ -17,6 +17,8 @@ repositories:
     url: https://charts.jetstack.io
   - name: prometheus-community
     url: https://prometheus-community.github.io/helm-charts
+  - name: authentik
+    url: https://charts.goauthentik.io
 ---
 releases:
   # Distributed Storage
@@ -92,3 +94,19 @@ releases:
     version: 62.3.0
     values:
       - ./values/prometheus.values.yaml
+
+  # Redis
+  - name: redis
+    namespace: redis-system
+    chart: bitnami/redis
+    version: 20.2.0
+    values:
+      - ./values/redis.values.yaml
+
+  # Authentik
+  - name: authentik
+    namespace: authentik-system
+    chart: authentik/authentik
+    version: 2024.8.3
+    values:
+      - ./values/authentik.values.yaml

helm/values/authentik.values.yaml

@@ -0,0 +1,63 @@
+global:
+  addPrometheusAnnotations: true
+
+authentik:
+  secret_key: "c8cc2e4a498c697a0443d96b31fe042c69c2158dc8bfb3da3878d1dbfbe6128e"
+  error_reporting:
+    enabled: false
+  postgresql:
+    host: postgres-cluster-rw.postgres-system.svc.cluster.local
+    user: file:///postgres-creds/username
+    password: file:///postgres-creds/password
+  redis:
+    host: redis-master.redis-system.svc.cluster.local
+    password: file:///redis-creds/password
+
+server:
+  ingress:
+    enabled: true
+    annotations:
+      cert-manager.io/cluster-issuer: cloudflare-issuer
+      cert-manager.io/acme-challenge-type: dns01
+      cert-manager.io/private-key-size: "4096"
+    ingressClassName: nginx-internal
+    hosts:
+      - auth.dogar.dev
+    tls:
+      - secretName: authentik-tls
+        hosts:
+          - auth.dogar.dev
+  volumes:
+    - name: postgres-creds
+      secret:
+        secretName: authentik-postgres
+    - name: redis-creds
+      secret:
+        secretName: authentik-redis
+  volumeMounts:
+    - name: postgres-creds
+      mountPath: /postgres-creds
+      readOnly: true
+    - name: redis-creds
+      mountPath: /redis-creds
+      readOnly: true
+worker:
+  volumes:
+    - name: postgres-creds
+      secret:
+        secretName: authentik-postgres
+    - name: redis-creds
+      secret:
+        secretName: authentik-redis
+  volumeMounts:
+    - name: postgres-creds
+      mountPath: /postgres-creds
+      readOnly: true
+    - name: redis-creds
+      mountPath: /redis-creds
+      readOnly: true
+    
+postgresql:
+    enabled: false
+redis:
+    enabled: false

helm/values/gitea.values.yaml

@@ -13,6 +13,7 @@ ingress:
   annotations:
     cert-manager.io/cluster-issuer: cloudflare-issuer
     cert-manager.io/private-key-algorithm: ED25519
+    cert-manager.io/acme-challenge-type: dns01
   hosts:
     - host: git.dogar.dev
       paths:
@@ -53,6 +54,15 @@ gitea:
       STORAGE_TYPE: local
     service:
       DISABLE_REGISTRATION: true
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
+  oauth:
+    - name: "authentik"
+      provider: "openidConnect"
+      existingSecret: gitea-oauth
+      autoDiscoverUrl: "https://auth.dogar.dev/application/o/gitea/.well-known/openid-configuration"
+      iconUrl: "https://goauthentik.io/img/icon.png"
+      scopes: "email profile"
   additionalConfigFromEnvs:
     - name: GITEA__DATABASE__PASSWD
       valueFrom:

helm/values/nginx-internal.values.yaml

@@ -6,9 +6,6 @@ controller:
     controllerValue: "k8s.io/ingress-nginx"
     parameters: {}
   ingressClass: nginx-internal
-  service:
-    annotations:
-      external-dns.alpha.kubernetes.io/hostname: "postgres.home,postgres.dogar.dev"
 tcp:
   22:   "gitea-system/gitea-ssh:22"
   5432: "postgres-system/postgres-cluster-rw:5432"

helm/values/pihole.values.yaml

@@ -10,7 +10,7 @@ admin:
 persistentVolumeClaim:
   enabled: true
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
 ingress:
   enabled: true
   annotations:
@@ -35,7 +35,6 @@ serviceDns:
   annotations:
     metallb.universe.tf/allow-shared-ip: pihole-svc
   type: LoadBalancer
-replicaCount: 3
 podAnnotations:
   prometheus.io/scrape: "true"
   prometheus.io/port: "9617"

helm/values/prometheus.values.yaml

@@ -1,10 +1,16 @@
 grafana:
   enabled: true
+  service:
+    type: LoadBalancer
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: grafana.dogar.dev
   ingress:
     enabled: true
     ingressClassName: nginx-internal
     annotations:
       cert-manager.io/cluster-issuer: cloudflare-issuer
+      cert-manager.io/private-key-algorithm: ED25519
+      cert-manager.io/acme-challenge-type: dns01
     hosts:
       - grafana.dogar.dev
     tls:

helm/values/redis.values.yaml

@@ -0,0 +1,23 @@
+architecture: standalone
+
+auth:
+  enabled: true
+  sentinel: true
+  existingSecret: redis
+  existingSecretPasswordKey: password
+
+master:
+  persistence:
+    enabled: false
+  service:
+    type: LoadBalancer
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: redis.dogar.dev
+
+replica:
+  replicaCount: 0
+  persistence:
+    enabled: false
+
+sentinel:
+  enabled: false