admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

added authentik app

Browse Source
This commit is contained in:
kisfenyo
2025-12-27 18:57:41 +01:00
parent eeb346a7dc
commit d47aed4906
3 changed files with 255 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
argocd-apps/homelab.yaml
+44
View File
@@ -526,3 +526,47 @@ spec:
- CreateNamespace=true - CreateNamespace=true
- PruneLast=true - PruneLast=true
--- ---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
# Using multiple sources: Helm chart + values from git repo
sources:
# Source 1: Helm chart from official repo
- repoURL: https://charts.goauthentik.io
chart: authentik
targetRevision: 2025.10.3
helm:
releaseName: authentik
valueFiles:
- $values/auth-system/authentik-values.yaml
# Source 2: Values file from your git repo
- repoURL: http://gitea.gitea-system.svc.cluster.local:3000/admin/homelab-manifests.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: auth-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
---
auth-system/authentik-pvc.yaml
+12
View File
@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authentik-media
namespace: auth-system
spec:
accessModes:
- ReadWriteMany # RWX needed for server + worker pods
storageClassName: longhorn
resources:
requests:
storage: 2Gi
auth-system/authentik-values.yaml
+199
View File
@@ -0,0 +1,199 @@
---
# Authentik Helm Chart Custom Values - SHARED POSTGRESQL VERSION
# For dooplex homelab deployment with centralized PostgreSQL
# Version: 2025.10.3
global:
image:
repository: ghcr.io/goauthentik/server
tag: "2025.10.3"
deploymentAnnotations:
reloader.stakater.com/auto: "true" # Auto-reload on secret changes (if using Reloader)
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9300"
# Environment variables for all pods
envFrom:
- secretRef:
name: authentik-secret-key
env:
- name: AUTHENTIK_REDIS__HOST
value: "authentik-redis-master"
# PostgreSQL config for SHARED database
- name: AUTHENTIK_POSTGRESQL__HOST
value: "postgresql.database-system.svc.cluster.local"
- name: AUTHENTIK_POSTGRESQL__NAME
value: "authentik"
- name: AUTHENTIK_POSTGRESQL__USER
value: "authentik"
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-postgresql
key: password
- name: AUTHENTIK_EMAIL__HOST
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: AUTHENTIK_EMAIL__PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: AUTHENTIK_EMAIL__USERNAME
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: AUTHENTIK_EMAIL__PASSWORD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: AUTHENTIK_EMAIL__FROM
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
authentik:
# Secret key will come from authentik-secret-key secret via envFrom
secret_key: ""
log_level: info
# PostgreSQL configuration for SHARED database
postgresql:
host: "postgresql.database-system.svc.cluster.local"
name: "authentik"
user: "authentik"
# Password comes from secret via global.env
error_reporting:
enabled: false
server:
enabled: true
name: server
replicas: 1
# Ingress configuration
ingress:
enabled: true
ingressClassName: nginx
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
external-dns.alpha.kubernetes.io/hostname: "authentik.dooplex.hu"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
hosts:
- host: authentik.dooplex.hu
paths:
- path: /
pathType: Prefix
tls:
- secretName: authentik-tls
hosts:
- authentik.dooplex.hu
# Resource limits
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 1Gi
# Persistent volume for media files
volumes:
- name: media
persistentVolumeClaim:
claimName: authentik-media
volumeMounts:
- name: media
mountPath: /media
metrics:
enabled: true
serviceMonitor:
enabled: true
interval: 30s
worker:
enabled: true
name: worker
replicas: 1
# Resource limits
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
memory: 1Gi
# Persistent volume for media files (shared with server)
volumes:
- name: media
persistentVolumeClaim:
claimName: authentik-media
volumeMounts:
- name: media
mountPath: /media
metrics:
enabled: true
serviceMonitor:
enabled: true
interval: 30s
# DISABLE bundled PostgreSQL - using shared instance
postgresql:
enabled: false
# Enable bundled Redis (required for Authentik)
redis:
enabled: true
architecture: standalone
auth:
enabled: false # Internal only, no need for auth
master:
persistence:
enabled: true
storageClass: longhorn
size: 1Gi
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
memory: 256Mi
# GeoIP configuration (optional, for geo-blocking features)
geoip:
enabled: false
# To enable later:
# 1. Sign up at https://www.maxmind.com/en/geolite2/signup
# 2. Get accountId and licenseKey
# 3. Uncomment and fill:
# accountId: ""
# licenseKey: ""
# Service Account
serviceAccount:
create: true
annotations:
argocd.argoproj.io/sync-wave: "-1"
# Prometheus metrics
prometheus:
rules:
enabled: false