diff --git a/argocd-apps/homelab.yaml b/argocd-apps/homelab.yaml index b451155..ebb4935 100644 --- a/argocd-apps/homelab.yaml +++ b/argocd-apps/homelab.yaml @@ -526,3 +526,47 @@ spec: - CreateNamespace=true - PruneLast=true --- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + # Using multiple sources: Helm chart + values from git repo + sources: + # Source 1: Helm chart from official repo + - repoURL: https://charts.goauthentik.io + chart: authentik + targetRevision: 2025.10.3 + helm: + releaseName: authentik + valueFiles: + - $values/auth-system/authentik-values.yaml + + # Source 2: Values file from your git repo + - repoURL: http://gitea.gitea-system.svc.cluster.local:3000/admin/homelab-manifests.git + targetRevision: main + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: auth-system + + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m +--- diff --git a/auth-system/authentik-pvc.yaml b/auth-system/authentik-pvc.yaml new file mode 100644 index 0000000..fe04f69 --- /dev/null +++ b/auth-system/authentik-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authentik-media + namespace: auth-system +spec: + accessModes: + - ReadWriteMany # RWX needed for server + worker pods + storageClassName: longhorn + resources: + requests: + storage: 2Gi diff --git a/auth-system/authentik-values.yaml b/auth-system/authentik-values.yaml new file mode 100644 index 0000000..ffa1a51 --- /dev/null +++ b/auth-system/authentik-values.yaml @@ -0,0 +1,199 @@ +--- +# Authentik Helm Chart Custom Values - SHARED POSTGRESQL VERSION +# For dooplex homelab deployment with centralized PostgreSQL +# Version: 2025.10.3 + +global: + image: + repository: ghcr.io/goauthentik/server + tag: "2025.10.3" + + deploymentAnnotations: + reloader.stakater.com/auto: "true" # Auto-reload on secret changes (if using Reloader) + + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9300" + + # Environment variables for all pods + envFrom: + - secretRef: + name: authentik-secret-key + + env: + - name: AUTHENTIK_REDIS__HOST + value: "authentik-redis-master" + # PostgreSQL config for SHARED database + - name: AUTHENTIK_POSTGRESQL__HOST + value: "postgresql.database-system.svc.cluster.local" + - name: AUTHENTIK_POSTGRESQL__NAME + value: "authentik" + - name: AUTHENTIK_POSTGRESQL__USER + value: "authentik" + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: authentik-postgresql + key: password + - name: AUTHENTIK_EMAIL__HOST + valueFrom: + secretKeyRef: + name: smtp-credentials + key: host + - name: AUTHENTIK_EMAIL__PORT + valueFrom: + secretKeyRef: + name: smtp-credentials + key: port + - name: AUTHENTIK_EMAIL__USERNAME + valueFrom: + secretKeyRef: + name: smtp-credentials + key: username + - name: AUTHENTIK_EMAIL__PASSWORD + valueFrom: + secretKeyRef: + name: smtp-credentials + key: password + - name: AUTHENTIK_EMAIL__FROM + valueFrom: + secretKeyRef: + name: smtp-credentials + key: from-address + +authentik: + # Secret key will come from authentik-secret-key secret via envFrom + secret_key: "" + + log_level: info + + # PostgreSQL configuration for SHARED database + postgresql: + host: "postgresql.database-system.svc.cluster.local" + name: "authentik" + user: "authentik" + # Password comes from secret via global.env + + error_reporting: + enabled: false + +server: + enabled: true + name: server + replicas: 1 + + # Ingress configuration + ingress: + enabled: true + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + external-dns.alpha.kubernetes.io/hostname: "authentik.dooplex.hu" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + hosts: + - host: authentik.dooplex.hu + paths: + - path: / + pathType: Prefix + tls: + - secretName: authentik-tls + hosts: + - authentik.dooplex.hu + + # Resource limits + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + memory: 1Gi + + # Persistent volume for media files + volumes: + - name: media + persistentVolumeClaim: + claimName: authentik-media + + volumeMounts: + - name: media + mountPath: /media + + metrics: + enabled: true + serviceMonitor: + enabled: true + interval: 30s + +worker: + enabled: true + name: worker + replicas: 1 + + # Resource limits + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + memory: 1Gi + + # Persistent volume for media files (shared with server) + volumes: + - name: media + persistentVolumeClaim: + claimName: authentik-media + + volumeMounts: + - name: media + mountPath: /media + + metrics: + enabled: true + serviceMonitor: + enabled: true + interval: 30s + +# DISABLE bundled PostgreSQL - using shared instance +postgresql: + enabled: false + +# Enable bundled Redis (required for Authentik) +redis: + enabled: true + architecture: standalone + auth: + enabled: false # Internal only, no need for auth + master: + persistence: + enabled: true + storageClass: longhorn + size: 1Gi + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + memory: 256Mi + +# GeoIP configuration (optional, for geo-blocking features) +geoip: + enabled: false + # To enable later: + # 1. Sign up at https://www.maxmind.com/en/geolite2/signup + # 2. Get accountId and licenseKey + # 3. Uncomment and fill: + # accountId: "" + # licenseKey: "" + +# Service Account +serviceAccount: + create: true + annotations: + argocd.argoproj.io/sync-wave: "-1" + +# Prometheus metrics +prometheus: + rules: + enabled: false