diff --git a/namespaces/auth/authentik/kustomization.yaml b/namespaces/auth/authentik/kustomization.yaml new file mode 100644 index 0000000..475a3f0 --- /dev/null +++ b/namespaces/auth/authentik/kustomization.yaml @@ -0,0 +1,112 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +transformers: + - |- + apiVersion: builtin + kind: NamespaceTransformer + metadata: + name: notImportantHere + namespace: auth + unsetOnly: true + +namePrefix: authentik- +resources: + - ../../../kustomize/helmchart + +patches: + - path: patches/chart.yaml + target: + kind: HelmChart + name: chart + # - path: patches/httproute.yaml + # target: + # kind: HTTPRoute + +labels: + - includeSelectors: true + pairs: + app.kubernetes.io/appName: authentik + - pairs: + app.kubernetes.io/appNamespace: auth + - pairs: + app.kubernetes.io/chartServiceName: authentik-chart-server + - pairs: + app.kubernetes.io/routePrefix: auth + +replacements: + # Update secrets + - source: + kind: HelmChart + name: chart + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: InfisicalSecret + options: + create: true + delimiter: "-" + index: 0 + fieldPaths: + - spec.managedSecretReference.secretName + - select: + kind: InfisicalSecret + options: + create: true + delimiter: "/" + index: 2 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - source: + kind: HelmChart + name: chart + fieldPath: metadata.labels.[app.kubernetes.io/appNamespace] + targets: + - select: + kind: InfisicalSecret + options: + create: true + delimiter: "/" + index: 1 + fieldPaths: + - spec.authentication.universalAuth.secretsScope.secretsPath + - select: + kind: InfisicalSecret + fieldPaths: + - spec.managedSecretReference.secretNamespace + # HTTPRoute + - source: + kind: HelmChart + name: chart + fieldPath: metadata.labels.[app.kubernetes.io/appName] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 + - source: + kind: HelmChart + name: chart + fieldPath: metadata.labels.[app.kubernetes.io/chartServiceName] + targets: + - select: + kind: HTTPRoute + fieldPaths: + - spec.rules.0.backendRefs.0.name + - source: + kind: HTTPRoute + name: http + fieldPath: metadata.labels.[app.kubernetes.io/routePrefix] + targets: + - select: + kind: HTTPRoute + options: + create: true + delimiter: "." + index: 0 + fieldPaths: + - spec.hostnames.0 diff --git a/namespaces/auth/authentik/patches/chart.yaml b/namespaces/auth/authentik/patches/chart.yaml new file mode 100644 index 0000000..2fd31c8 --- /dev/null +++ b/namespaces/auth/authentik/patches/chart.yaml @@ -0,0 +1,66 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: chart +spec: + chart: authentik + repo: https://charts.goauthentik.io + targetNamespace: auth + createNamespace: true + valuesContent: |- + authentik: + secret_key: "file:///auth-secrets/SECRET-KEY" + postgresql: + host: postgres-svc.core.svc.cluster.local + port: 5432 + user: authentik # Using default directly + password: file:///auth-secrets/DB-PASSWORD + database: authentik + redis: + host: redis-svc.core.svc.cluster.local + db: 15 + email: + from: homelab@leechpepin.com + host: blizzard.mxrouting.net + port: 465 + use_ssl: true + username: homelab@leechpepin.com + password: file:///smtp-secrets/SMTP_PASSWORD + + postgresql: + enabled: false + redis: + enabled: false + + server: + service: + type: NodePort + volumes: + - name: auth-secrets + secret: + secretName: authentik-secrets + - name: smtp-secrets + secret: + secretName: smtp-secrets + volumeMounts: + - name: auth-secrets + mountPath: /auth-secrets + readOnly: true + - name: smtp-secrets + mountPath: /smtp-secrets + readOnly: true + worker: + volumes: + - name: auth-secrets + secret: + secretName: authentik-secrets + - name: smtp-secrets + secret: + secretName: smtp-secrets + volumeMounts: + - name: auth-secrets + mountPath: /auth-secrets + readOnly: true + - name: smtp-secrets + mountPath: /smtp-secrets + readOnly: true diff --git a/namespaces/auth/authentik/patches/httproute.yaml b/namespaces/auth/authentik/patches/httproute.yaml new file mode 100644 index 0000000..7f05eb0 --- /dev/null +++ b/namespaces/auth/authentik/patches/httproute.yaml @@ -0,0 +1,16 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http +spec: + rules: + - backendRefs: + - name: authentik-chart-server + port: 80 + namespace: auth + filters: + - requestHeaderModifier: + set: + - name: X-Forwarded-Proto + value: https + type: RequestHeaderModifier diff --git a/namespaces/auth/kustomization.yaml b/namespaces/auth/kustomization.yaml new file mode 100644 index 0000000..8a3ef68 --- /dev/null +++ b/namespaces/auth/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - namespace.yaml + - smtp-secrets.yaml + - authentik/ diff --git a/namespaces/auth/smtp-secrets.yaml b/namespaces/auth/smtp-secrets.yaml new file mode 100644 index 0000000..5885ff3 --- /dev/null +++ b/namespaces/auth/smtp-secrets.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: secrets.infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: smtp-secrets-auth + namespace: infisical + labels: + label-to-be-passed-to-managed-secret: homelab + annotations: + example.com/annotation-to-be-passed-to-managed-secret: "homelab" +spec: + hostAPI: https://app.infisical.com/api + resyncInterval: 10 + authentication: + # Universal Auth + universalAuth: + secretsScope: + projectSlug: homelab-n-f-yj + envSlug: prod + secretsPath: "/" # Root is "/" + recursive: false # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false + credentialsRef: + secretName: universal-auth-credentials + secretNamespace: infisical + managedSecretReference: + secretName: smtp-secrets + secretNamespace: auth + creationPolicy: "Orphan" ## Owner | Orphan