feat: Bootstrap Authentik

infrastructure/terraform/authentik/main.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+  }
+}
+
+module "onepassword_authentik" {
+  source = "github.com/bjw-s/terraform-1password-item?ref=main"
+  vault  = "Kubernetes"
+  item   = "authentik"
+}
+
+
+provider "authentik" {
+  url   = "https://sso.${var.cluster_domain}"
+  token = module.onepassword_authentik.fields.BOOTSTRAP_TOKEN
+}

infrastructure/terraform/minio/bucket-authentik.tf

@@ -0,0 +1,8 @@
+module "onepassword_minio_bucket_authentik" {
+  source        = "./modules/onepassword_minio_bucket"
+  vault         = "Kubernetes"
+  password_item = "authentik"
+  providers = {
+    minio = minio.atlas
+  }
+}

kubernetes/main/apps/security/authentik/app/authentik-secret.yaml

@@ -0,0 +1,67 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: &name authentik-secret
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: *name
+    creationPolicy: Owner
+    deletionPolicy: "Delete"
+    template:
+      engineVersion: v2
+      data:
+        AUTHENTIK_POSTGRESQL__HOST: &dbhost "postgres-rw.dbms"
+        AUTHENTIK_POSTGRESQL__NAME: &dbname "authentik"
+        AUTHENTIK_POSTGRESQL__USER: &dbuser "authentik"
+        AUTHENTIK_POSTGRESQL__PASSWORD: &dbpass "{{ .authentik_POSTGRESQL_PASSWORD }}"
+        AUTHENTIK_REDIS__DB: "1"
+
+        AUTHENTIK_STORAGE__MEDIA__BACKEND: "s3"
+        AUTHENTIK_STORAGE__MEDIA__S3__ACCESS_KEY: "{{ .authentik_AWS_ACCESS_KEY_ID }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__SECRET_KEY: "{{ .authentik_AWS_SECRET_ACCESS_KEY }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__BUCKET_NAME: "{{ .authentik_AWS_BUCKET_NAME }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__REGION: "{{ .authentik_AWS_REGION }}"
+        AUTHENTIK_STORAGE__MEDIA__S3__ENDPOINT: "{{ .authentik_S3_ENDPOINT }}"
+
+        AUTHENTIK_BOOTSTRAP_EMAIL: "{{ .authentik_BOOTSTRAP_EMAIL }}"
+        AUTHENTIK_BOOTSTRAP_PASSWORD: "{{ .authentik_BOOTSTRAP_PASSWORD }}"
+        AUTHENTIK_BOOTSTRAP_TOKEN: "{{ .authentik_BOOTSTRAP_TOKEN }}"
+        AUTHENTIK_SECRET_KEY: "{{ .authentik_SECRET_KEY }}"
+
+        AUTHENTIK_EMAIL__HOST: "{{ .email_EMAIL_SMTP_HOST }}"
+        AUTHENTIK_EMAIL__PORT: "{{ .email_EMAIL_SMTP_PORT }}"
+        AUTHENTIK_EMAIL__USERNAME: "{{ .authentik_EMAIL_USER }}"
+        AUTHENTIK_EMAIL__PASSWORD: "{{ .authentik_EMAIL_PASSWORD }}"
+        AUTHENTIK_EMAIL__USE_TLS: "true"
+        AUTHENTIK_EMAIL__FROM: "{{ .authentik_EMAIL_USER }}"
+
+        INIT_POSTGRES_HOST: *dbhost
+        INIT_POSTGRES_DBNAME: *dbname
+        INIT_POSTGRES_USER: *dbuser
+        INIT_POSTGRES_PASS: *dbpass
+        INIT_POSTGRES_SUPER_USER: "{{ .cnpg_POSTGRES_SUPER_USER }}"
+        INIT_POSTGRES_SUPER_PASS: "{{ .cnpg_POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: authentik
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "authentik_$1"
+    - extract:
+        key: cloudnative-pg-superuser
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "cnpg_$1"
+    - extract:
+        key: email-service
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "email_$1"

kubernetes/main/apps/security/authentik/app/helm-release.yaml

@@ -0,0 +1,58 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: authentik
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: authentik
+      version: 2024.2.2
+      sourceRef:
+        kind: HelmRepository
+        name: authentik-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    global:
+      podAnnotations:
+        reloader.stakater.com/auto: "true"
+      deploymentStrategy:
+        type: RollingUpdate
+      envFrom:
+        - secretRef:
+            name: &secrets authentik-secret
+    authentik:
+      redis:
+        host: dragonfly.dbms.svc.cluster.local
+    server:
+      initContainers:
+        init-db:
+          image:
+            repository: ghcr.io/onedr0p/postgres-init
+            tag: 16.2
+            pullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: *secrets
+      autoscaling:
+        enabled: true
+        minReplicas: 2
+      metrics:
+        prometheus:
+          serviceMonitor:
+            enabled: true
+      ingress:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          ingress.home.arpa/type: external
+        hosts:
+          - sso.${SECRET_DOMAIN_NAME}
+        https: false
+    worker:
+      autoscaling:
+        enabled: true
+        minReplicas: 2

kubernetes/main/apps/security/authentik/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - authentik-secret.yaml
+  - helm-release.yaml

kubernetes/main/apps/security/authentik/install.yaml

@@ -0,0 +1,25 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.zinn.ca/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: security-authentik
+  namespace: flux-system
+spec:
+  targetNamespace: security
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: &app authentik
+  path: ./kubernetes/main/apps/security/authentik/app
+  sourceRef:
+    kind: GitRepository
+    name: homelab-kubernetes
+  dependsOn:
+    - name: dbms-cloudnative-pg
+    - name: dbms-dragonfly-cluster
+    - name: security-external-secrets-stores
+  prune: true
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/main/apps/security/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - authelia/install.yaml
+  - authentik/install.yaml
   - dmarc-report/install.yaml
   - external-secrets/install.yaml
   - lldap/install.yaml

kubernetes/main/cluster/repositories/helm-charts/authentik-charts.yaml

@@ -0,0 +1,11 @@
+---
+# yaml-language-server: $schema=https://lds-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: authentik-charts
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://charts.goauthentik.io
+  timeout: 3m

kubernetes/main/cluster/repositories/helm-charts/kustomization.yaml

@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - actions-runner-controller-charts.yaml
+  - authentik-charts.yaml
   - bitnami-charts.yaml
   - backube-charts.yaml
   - bjw-s-charts.yaml