Add Authentik deployment manifests and ArgoCD app

Server, worker, Redis deployments targeting ringtail k3s cluster. ExternalSecret pulls config from 1Password "Authentik (blumeops)". Tailscale Ingress exposes at authentik.tail8d86e.ts.net. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-20 10:51:38 -08:00 · 2026-02-20 10:51:38 -08:00 · 8016427a3c
commit 8016427a3c
parent cbf08a7bde
9 changed files with 295 additions and 0 deletions
--- a/argocd/apps/authentik.yaml
+++ b/argocd/apps/authentik.yaml
@ -0,0 +1,18 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/authentik
+  destination:
+    server: https://ringtail.tail8d86e.ts.net:6443
+    namespace: authentik
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
--- a/argocd/manifests/authentik/deployment-redis.yaml
+++ b/argocd/manifests/authentik/deployment-redis.yaml
@ -0,0 +1,31 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-redis
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik
+      component: redis
+  template:
+    metadata:
+      labels:
+        app: authentik
+        component: redis
+    spec:
+      containers:
+        - name: redis
+          image: docker.io/library/redis:7-alpine
+          ports:
+            - name: redis
+              containerPort: 6379
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "25m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
--- a/argocd/manifests/authentik/deployment-server.yaml
+++ b/argocd/manifests/authentik/deployment-server.yaml
@ -0,0 +1,79 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-server
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik
+      component: server
+  template:
+    metadata:
+      labels:
+        app: authentik
+        component: server
+    spec:
+      containers:
+        - name: server
+          image: registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix
+          args: ["server"]
+          ports:
+            - name: http
+              containerPort: 9000
+            - name: https
+              containerPort: 9443
+          env:
+            - name: AUTHENTIK_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: secret-key
+            - name: AUTHENTIK_POSTGRESQL__HOST
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-host
+            - name: AUTHENTIK_POSTGRESQL__PORT
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-port
+            - name: AUTHENTIK_POSTGRESQL__NAME
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-name
+            - name: AUTHENTIK_POSTGRESQL__USER
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-user
+            - name: AUTHENTIK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-password
+            - name: AUTHENTIK_REDIS__HOST
+              value: authentik-redis
+          livenessProbe:
+            httpGet:
+              path: /-/health/live/
+              port: 9000
+            initialDelaySeconds: 30
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /-/health/ready/
+              port: 9000
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
--- a/argocd/manifests/authentik/deployment-worker.yaml
+++ b/argocd/manifests/authentik/deployment-worker.yaml
@ -0,0 +1,62 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authentik-worker
+  namespace: authentik
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authentik
+      component: worker
+  template:
+    metadata:
+      labels:
+        app: authentik
+        component: worker
+    spec:
+      containers:
+        - name: worker
+          image: registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix
+          args: ["worker"]
+          env:
+            - name: AUTHENTIK_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: secret-key
+            - name: AUTHENTIK_POSTGRESQL__HOST
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-host
+            - name: AUTHENTIK_POSTGRESQL__PORT
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-port
+            - name: AUTHENTIK_POSTGRESQL__NAME
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-name
+            - name: AUTHENTIK_POSTGRESQL__USER
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-user
+            - name: AUTHENTIK_POSTGRESQL__PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: postgresql-password
+            - name: AUTHENTIK_REDIS__HOST
+              value: authentik-redis
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
--- a/argocd/manifests/authentik/external-secret.yaml
+++ b/argocd/manifests/authentik/external-secret.yaml
@ -0,0 +1,39 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authentik-config
+  namespace: authentik
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: authentik-config
+    creationPolicy: Owner
+  data:
+    - secretKey: secret-key
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: secret-key
+    - secretKey: postgresql-host
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: postgresql-host
+    - secretKey: postgresql-port
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: postgresql-port
+    - secretKey: postgresql-name
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: postgresql-name
+    - secretKey: postgresql-user
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: postgresql-user
+    - secretKey: postgresql-password
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: postgresql-password
--- a/argocd/manifests/authentik/ingress-tailscale.yaml
+++ b/argocd/manifests/authentik/ingress-tailscale.yaml
@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik-tailscale
+  namespace: authentik
+  annotations:
+    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "Authentik"
+    gethomepage.dev/group: "Infrastructure"
+    gethomepage.dev/icon: "authentik"
+    gethomepage.dev/description: "Identity provider (SSO)"
+    gethomepage.dev/href: "https://authentik.ops.eblu.me"
+    gethomepage.dev/pod-selector: "app=authentik"
+spec:
+  ingressClassName: tailscale
+  defaultBackend:
+    service:
+      name: authentik
+      port:
+        number: 9000
+  tls:
+    - hosts:
+        - authentik
--- a/argocd/manifests/authentik/kustomization.yaml
+++ b/argocd/manifests/authentik/kustomization.yaml
@ -0,0 +1,12 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authentik
+resources:
+  - external-secret.yaml
+  - deployment-server.yaml
+  - deployment-worker.yaml
+  - deployment-redis.yaml
+  - service.yaml
+  - service-redis.yaml
+  - ingress-tailscale.yaml
--- a/argocd/manifests/authentik/service-redis.yaml
+++ b/argocd/manifests/authentik/service-redis.yaml
@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik-redis
+  namespace: authentik
+spec:
+  selector:
+    app: authentik
+    component: redis
+  ports:
+    - name: redis
+      port: 6379
+      targetPort: 6379
--- a/argocd/manifests/authentik/service.yaml
+++ b/argocd/manifests/authentik/service.yaml
@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authentik
+  namespace: authentik
+spec:
+  selector:
+    app: authentik
+    component: server
+  ports:
+    - name: http
+      port: 9000
+      targetPort: 9000