From 8016427a3cd1e739988253223bcc1531283c9bbb Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 20 Feb 2026 10:51:38 -0800 Subject: [PATCH] Add Authentik deployment manifests and ArgoCD app Server, worker, Redis deployments targeting ringtail k3s cluster. ExternalSecret pulls config from 1Password "Authentik (blumeops)". Tailscale Ingress exposes at authentik.tail8d86e.ts.net. Co-Authored-By: Claude Opus 4.6 --- argocd/apps/authentik.yaml | 18 +++++ .../manifests/authentik/deployment-redis.yaml | 31 ++++++++ .../authentik/deployment-server.yaml | 79 +++++++++++++++++++ .../authentik/deployment-worker.yaml | 62 +++++++++++++++ .../manifests/authentik/external-secret.yaml | 39 +++++++++ .../authentik/ingress-tailscale.yaml | 26 ++++++ argocd/manifests/authentik/kustomization.yaml | 12 +++ argocd/manifests/authentik/service-redis.yaml | 14 ++++ argocd/manifests/authentik/service.yaml | 14 ++++ 9 files changed, 295 insertions(+) create mode 100644 argocd/apps/authentik.yaml create mode 100644 argocd/manifests/authentik/deployment-redis.yaml create mode 100644 argocd/manifests/authentik/deployment-server.yaml create mode 100644 argocd/manifests/authentik/deployment-worker.yaml create mode 100644 argocd/manifests/authentik/external-secret.yaml create mode 100644 argocd/manifests/authentik/ingress-tailscale.yaml create mode 100644 argocd/manifests/authentik/kustomization.yaml create mode 100644 argocd/manifests/authentik/service-redis.yaml create mode 100644 argocd/manifests/authentik/service.yaml diff --git a/argocd/apps/authentik.yaml b/argocd/apps/authentik.yaml new file mode 100644 index 0000000..38d6909 --- /dev/null +++ b/argocd/apps/authentik.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: authentik + namespace: argocd +spec: + project: default + source: + repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git + targetRevision: main + path: argocd/manifests/authentik + destination: + server: https://ringtail.tail8d86e.ts.net:6443 + namespace: authentik + syncPolicy: + syncOptions: + - CreateNamespace=true diff --git a/argocd/manifests/authentik/deployment-redis.yaml b/argocd/manifests/authentik/deployment-redis.yaml new file mode 100644 index 0000000..03c5873 --- /dev/null +++ b/argocd/manifests/authentik/deployment-redis.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authentik-redis + namespace: authentik +spec: + replicas: 1 + selector: + matchLabels: + app: authentik + component: redis + template: + metadata: + labels: + app: authentik + component: redis + spec: + containers: + - name: redis + image: docker.io/library/redis:7-alpine + ports: + - name: redis + containerPort: 6379 + resources: + requests: + memory: "64Mi" + cpu: "25m" + limits: + memory: "128Mi" + cpu: "100m" diff --git a/argocd/manifests/authentik/deployment-server.yaml b/argocd/manifests/authentik/deployment-server.yaml new file mode 100644 index 0000000..e67392b --- /dev/null +++ b/argocd/manifests/authentik/deployment-server.yaml @@ -0,0 +1,79 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authentik-server + namespace: authentik +spec: + replicas: 1 + selector: + matchLabels: + app: authentik + component: server + template: + metadata: + labels: + app: authentik + component: server + spec: + containers: + - name: server + image: registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix + args: ["server"] + ports: + - name: http + containerPort: 9000 + - name: https + containerPort: 9443 + env: + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: authentik-config + key: secret-key + - name: AUTHENTIK_POSTGRESQL__HOST + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-host + - name: AUTHENTIK_POSTGRESQL__PORT + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-port + - name: AUTHENTIK_POSTGRESQL__NAME + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-name + - name: AUTHENTIK_POSTGRESQL__USER + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-user + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-password + - name: AUTHENTIK_REDIS__HOST + value: authentik-redis + livenessProbe: + httpGet: + path: /-/health/live/ + port: 9000 + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /-/health/ready/ + port: 9000 + initialDelaySeconds: 15 + periodSeconds: 10 + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1000m" diff --git a/argocd/manifests/authentik/deployment-worker.yaml b/argocd/manifests/authentik/deployment-worker.yaml new file mode 100644 index 0000000..a1f3952 --- /dev/null +++ b/argocd/manifests/authentik/deployment-worker.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authentik-worker + namespace: authentik +spec: + replicas: 1 + selector: + matchLabels: + app: authentik + component: worker + template: + metadata: + labels: + app: authentik + component: worker + spec: + containers: + - name: worker + image: registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix + args: ["worker"] + env: + - name: AUTHENTIK_SECRET_KEY + valueFrom: + secretKeyRef: + name: authentik-config + key: secret-key + - name: AUTHENTIK_POSTGRESQL__HOST + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-host + - name: AUTHENTIK_POSTGRESQL__PORT + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-port + - name: AUTHENTIK_POSTGRESQL__NAME + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-name + - name: AUTHENTIK_POSTGRESQL__USER + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-user + - name: AUTHENTIK_POSTGRESQL__PASSWORD + valueFrom: + secretKeyRef: + name: authentik-config + key: postgresql-password + - name: AUTHENTIK_REDIS__HOST + value: authentik-redis + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "1000m" diff --git a/argocd/manifests/authentik/external-secret.yaml b/argocd/manifests/authentik/external-secret.yaml new file mode 100644 index 0000000..2c17d91 --- /dev/null +++ b/argocd/manifests/authentik/external-secret.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: authentik-config + namespace: authentik +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-blumeops + target: + name: authentik-config + creationPolicy: Owner + data: + - secretKey: secret-key + remoteRef: + key: "Authentik (blumeops)" + property: secret-key + - secretKey: postgresql-host + remoteRef: + key: "Authentik (blumeops)" + property: postgresql-host + - secretKey: postgresql-port + remoteRef: + key: "Authentik (blumeops)" + property: postgresql-port + - secretKey: postgresql-name + remoteRef: + key: "Authentik (blumeops)" + property: postgresql-name + - secretKey: postgresql-user + remoteRef: + key: "Authentik (blumeops)" + property: postgresql-user + - secretKey: postgresql-password + remoteRef: + key: "Authentik (blumeops)" + property: postgresql-password diff --git a/argocd/manifests/authentik/ingress-tailscale.yaml b/argocd/manifests/authentik/ingress-tailscale.yaml new file mode 100644 index 0000000..6d112ba --- /dev/null +++ b/argocd/manifests/authentik/ingress-tailscale.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authentik-tailscale + namespace: authentik + annotations: + tailscale.com/proxy-class: "default" + tailscale.com/proxy-group: "ingress" + gethomepage.dev/enabled: "true" + gethomepage.dev/name: "Authentik" + gethomepage.dev/group: "Infrastructure" + gethomepage.dev/icon: "authentik" + gethomepage.dev/description: "Identity provider (SSO)" + gethomepage.dev/href: "https://authentik.ops.eblu.me" + gethomepage.dev/pod-selector: "app=authentik" +spec: + ingressClassName: tailscale + defaultBackend: + service: + name: authentik + port: + number: 9000 + tls: + - hosts: + - authentik diff --git a/argocd/manifests/authentik/kustomization.yaml b/argocd/manifests/authentik/kustomization.yaml new file mode 100644 index 0000000..385ae5b --- /dev/null +++ b/argocd/manifests/authentik/kustomization.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: authentik +resources: + - external-secret.yaml + - deployment-server.yaml + - deployment-worker.yaml + - deployment-redis.yaml + - service.yaml + - service-redis.yaml + - ingress-tailscale.yaml diff --git a/argocd/manifests/authentik/service-redis.yaml b/argocd/manifests/authentik/service-redis.yaml new file mode 100644 index 0000000..c278e9b --- /dev/null +++ b/argocd/manifests/authentik/service-redis.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: authentik-redis + namespace: authentik +spec: + selector: + app: authentik + component: redis + ports: + - name: redis + port: 6379 + targetPort: 6379 diff --git a/argocd/manifests/authentik/service.yaml b/argocd/manifests/authentik/service.yaml new file mode 100644 index 0000000..6c15f17 --- /dev/null +++ b/argocd/manifests/authentik/service.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: authentik + namespace: authentik +spec: + selector: + app: authentik + component: server + ports: + - name: http + port: 9000 + targetPort: 9000