mirror of
https://github.com/zoriya/snow.git
synced 2025-12-05 23:06:23 +00:00
118 lines
3.3 KiB
YAML
118 lines
3.3 KiB
YAML
apiVersion: argoproj.io/v1alpha1
|
|
kind: Application
|
|
metadata:
|
|
name: authentik
|
|
namespace: argocd
|
|
spec:
|
|
project: default
|
|
destination:
|
|
server: https://kubernetes.default.svc
|
|
namespace: authentik
|
|
syncPolicy:
|
|
automated:
|
|
prune: true
|
|
selfHeal: true
|
|
syncOptions:
|
|
- CreateNamespace=true
|
|
source:
|
|
repoURL: https://charts.goauthentik.io
|
|
chart: authentik
|
|
targetRevision: 2025.10.2
|
|
helm:
|
|
valuesObject:
|
|
authentik:
|
|
postgresql:
|
|
host: postgres-cluster-rw.postgres
|
|
|
|
global:
|
|
env:
|
|
- name: AUTHENTIK_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: secret-key
|
|
key: password
|
|
- name: AUTHENTIK_STORAGE__MEDIA__BACKEND
|
|
value: s3
|
|
# TODO: configure s3
|
|
|
|
- name: AUTHENTIK_POSTGRESQL__SSLMODE
|
|
value: verify-full
|
|
- name: AUTHENTIK_POSTGRESQL__SSLCERT
|
|
value: /var/postgres-ssl/tls.crt
|
|
- name: AUTHENTIK_POSTGRESQL__SSLKEY
|
|
value: /var/postgres-ssl/tls.key
|
|
- name: AUTHENTIK_POSTGRESQL__SSLROOTCERT
|
|
value: /var/postgres-ssl/ca.crt
|
|
volumeMounts:
|
|
- name: postgres-cert
|
|
mountPath: /var/postgres-ssl
|
|
volumes:
|
|
- name: postgres-cert
|
|
secret:
|
|
defaultMode: 0640
|
|
secretName: postgres-authentik
|
|
securityContext:
|
|
fsGroup: 1001
|
|
runAsUser: 1001
|
|
|
|
server:
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: cilium
|
|
hosts:
|
|
- authentik.sdg.moe
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt
|
|
acme.cert-manager.io/http01-edit-in-place: "true"
|
|
tls:
|
|
- secretName: authentik-tls
|
|
hosts:
|
|
- authentik.sdg.moe
|
|
|
|
redis:
|
|
enabled: true
|
|
master:
|
|
persistence:
|
|
enabled: false
|
|
|
|
additionalObjects:
|
|
- apiVersion: postgresql.cnpg.io/v1
|
|
kind: Database
|
|
metadata:
|
|
name: authentik-db
|
|
namespace: postgres
|
|
spec:
|
|
name: authentik
|
|
owner: authentik
|
|
cluster:
|
|
name: postgres-cluster
|
|
databaseReclaimPolicy: delete
|
|
|
|
- apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: postgres-authentik
|
|
spec:
|
|
secretName: postgres-authentik
|
|
usages:
|
|
- client auth
|
|
# same as pg user
|
|
commonName: authentik
|
|
issuerRef:
|
|
name: postgres-ca
|
|
kind: ClusterIssuer
|
|
group: cert-manager.io
|
|
|
|
- apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: secret-key
|
|
spec:
|
|
refreshPolicy: CreatedOnce
|
|
dataFrom:
|
|
- sourceRef:
|
|
generatorRef:
|
|
apiVersion: generators.external-secrets.io/v1alpha1
|
|
kind: ClusterGenerator
|
|
name: password
|