Add authentik as kustomize

namespaces/auth/authentik/kustomization.yaml

@@ -0,0 +1,112 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+transformers:
+  - |-
+    apiVersion: builtin
+    kind: NamespaceTransformer
+    metadata:
+      name: notImportantHere
+      namespace: auth
+    unsetOnly: true
+
+namePrefix: authentik-
+resources:
+  - ../../../kustomize/helmchart
+
+patches:
+  - path: patches/chart.yaml
+    target:
+      kind: HelmChart
+      name: chart
+  # - path: patches/httproute.yaml
+  #   target:
+  #     kind: HTTPRoute
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/appName: authentik
+  - pairs:
+      app.kubernetes.io/appNamespace: auth
+  - pairs:
+      app.kubernetes.io/chartServiceName: authentik-chart-server
+  - pairs:
+      app.kubernetes.io/routePrefix: auth
+
+replacements:
+  # Update secrets
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        options:
+          create: true
+          delimiter: "-"
+          index: 0
+        fieldPaths:
+          - spec.managedSecretReference.secretName
+      - select:
+          kind: InfisicalSecret
+        options:
+          create: true
+          delimiter: "/"
+          index: 2
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/appNamespace]
+    targets:
+      - select:
+          kind: InfisicalSecret
+        options:
+          create: true
+          delimiter: "/"
+          index: 1
+        fieldPaths:
+          - spec.authentication.universalAuth.secretsScope.secretsPath
+      - select:
+          kind: InfisicalSecret
+        fieldPaths:
+          - spec.managedSecretReference.secretNamespace
+  # HTTPRoute
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/appName]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0
+  - source:
+      kind: HelmChart
+      name: chart
+      fieldPath: metadata.labels.[app.kubernetes.io/chartServiceName]
+    targets:
+      - select:
+          kind: HTTPRoute
+        fieldPaths:
+          - spec.rules.0.backendRefs.0.name
+  - source:
+      kind: HTTPRoute
+      name: http
+      fieldPath: metadata.labels.[app.kubernetes.io/routePrefix]
+    targets:
+      - select:
+          kind: HTTPRoute
+        options:
+          create: true
+          delimiter: "."
+          index: 0
+        fieldPaths:
+          - spec.hostnames.0

namespaces/auth/authentik/patches/chart.yaml

@@ -0,0 +1,66 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: chart
+spec:
+  chart: authentik
+  repo: https://charts.goauthentik.io
+  targetNamespace: auth
+  createNamespace: true
+  valuesContent: |-
+    authentik:
+      secret_key: "file:///auth-secrets/SECRET-KEY"
+      postgresql:
+        host: postgres-svc.core.svc.cluster.local
+        port: 5432
+        user: authentik  # Using default directly
+        password: file:///auth-secrets/DB-PASSWORD
+        database: authentik
+      redis:
+        host: redis-svc.core.svc.cluster.local
+        db: 15
+      email:
+        from: homelab@leechpepin.com
+        host: blizzard.mxrouting.net
+        port: 465
+        use_ssl: true
+        username: homelab@leechpepin.com
+        password: file:///smtp-secrets/SMTP_PASSWORD
+
+    postgresql:
+      enabled: false
+    redis:
+      enabled: false
+
+    server:
+      service:
+        type: NodePort
+      volumes:
+        - name: auth-secrets
+          secret:
+            secretName: authentik-secrets
+        - name: smtp-secrets
+          secret:
+            secretName: smtp-secrets
+      volumeMounts:
+        - name: auth-secrets
+          mountPath: /auth-secrets
+          readOnly: true
+        - name: smtp-secrets
+          mountPath: /smtp-secrets
+          readOnly: true
+    worker:
+      volumes:
+        - name: auth-secrets
+          secret:
+            secretName: authentik-secrets
+        - name: smtp-secrets
+          secret:
+            secretName: smtp-secrets
+      volumeMounts:
+        - name: auth-secrets
+          mountPath: /auth-secrets
+          readOnly: true
+        - name: smtp-secrets
+          mountPath: /smtp-secrets
+          readOnly: true

namespaces/auth/authentik/patches/httproute.yaml

@@ -0,0 +1,16 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http
+spec:
+  rules:
+    - backendRefs:
+        - name: authentik-chart-server
+          port: 80
+          namespace: auth
+      filters:
+        - requestHeaderModifier:
+            set:
+              - name: X-Forwarded-Proto
+                value: https
+          type: RequestHeaderModifier

namespaces/auth/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - smtp-secrets.yaml
+  - authentik/

namespaces/auth/smtp-secrets.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: smtp-secrets-auth
+  namespace: infisical
+  labels:
+    label-to-be-passed-to-managed-secret: homelab
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
+spec:
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Universal Auth
+    universalAuth:
+      secretsScope:
+        projectSlug: homelab-n-f-yj
+        envSlug: prod
+        secretsPath: "/" # Root is "/"
+        recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+      credentialsRef:
+        secretName: universal-auth-credentials
+        secretNamespace: infisical
+  managedSecretReference:
+    secretName: smtp-secrets
+    secretNamespace: auth
+    creationPolicy: "Orphan" ## Owner | Orphan