eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Deploy Authentik identity provider (C2 Mikado) #227

Merged
eblume merged 23 commits from feature/deploy-authentik into main 2026-02-20 12:56:00 -08:00
Conversation 0 Commits 23 Files changed 46 +295
9 changed files with 295 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 8016427a3c - Show all commits

Add Authentik deployment manifests and ArgoCD app

Prev Next 
Server, worker, Redis deployments targeting ringtail k3s cluster.
ExternalSecret pulls config from 1Password "Authentik (blumeops)".
Tailscale Ingress exposes at authentik.tail8d86e.ts.net.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-20 10:51:38 -08:00
commit 8016427a3c

18
argocd/apps/authentik.yaml Normal file
View file

@ -0,0 +1,18 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik
namespace: argocd
spec:
project: default
source:
repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
targetRevision: main
path: argocd/manifests/authentik
destination:
server: https://ringtail.tail8d86e.ts.net:6443
namespace: authentik
syncPolicy:
syncOptions:
- CreateNamespace=true

31
argocd/manifests/authentik/deployment-redis.yaml Normal file
View file

@ -0,0 +1,31 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-redis
namespace: authentik
spec:
replicas: 1
selector:
matchLabels:
app: authentik
component: redis
template:
metadata:
labels:
app: authentik
component: redis
spec:
containers:
- name: redis
image: docker.io/library/redis:7-alpine
ports:
- name: redis
containerPort: 6379
resources:
requests:
memory: "64Mi"
cpu: "25m"
limits:
memory: "128Mi"
cpu: "100m"

79
argocd/manifests/authentik/deployment-server.yaml Normal file
View file

@ -0,0 +1,79 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-server
namespace: authentik
spec:
replicas: 1
selector:
matchLabels:
app: authentik
component: server
template:
metadata:
labels:
app: authentik
component: server
spec:
containers:
- name: server
image: registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix
args: ["server"]
ports:
- name: http
containerPort: 9000
- name: https
containerPort: 9443
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-config
key: secret-key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-host
- name: AUTHENTIK_POSTGRESQL__PORT
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-port
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-name
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-password
- name: AUTHENTIK_REDIS__HOST
value: authentik-redis
livenessProbe:
httpGet:
path: /-/health/live/
port: 9000
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /-/health/ready/
port: 9000
initialDelaySeconds: 15
periodSeconds: 10
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "1000m"

62
argocd/manifests/authentik/deployment-worker.yaml Normal file
View file

@ -0,0 +1,62 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-worker
namespace: authentik
spec:
replicas: 1
selector:
matchLabels:
app: authentik
component: worker
template:
metadata:
labels:
app: authentik
component: worker
spec:
containers:
- name: worker
image: registry.ops.eblu.me/blumeops/authentik:v1.0.0-nix
args: ["worker"]
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-config
key: secret-key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-host
- name: AUTHENTIK_POSTGRESQL__PORT
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-port
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-name
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-password
- name: AUTHENTIK_REDIS__HOST
value: authentik-redis
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "1000m"

39
argocd/manifests/authentik/external-secret.yaml Normal file
View file

@ -0,0 +1,39 @@
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authentik-config
namespace: authentik
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-blumeops
target:
name: authentik-config
creationPolicy: Owner
data:
- secretKey: secret-key
remoteRef:
key: "Authentik (blumeops)"
property: secret-key
- secretKey: postgresql-host
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-host
- secretKey: postgresql-port
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-port
- secretKey: postgresql-name
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-name
- secretKey: postgresql-user
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-user
- secretKey: postgresql-password
remoteRef:
key: "Authentik (blumeops)"
property: postgresql-password

26
argocd/manifests/authentik/ingress-tailscale.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authentik-tailscale
namespace: authentik
annotations:
tailscale.com/proxy-class: "default"
tailscale.com/proxy-group: "ingress"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Authentik"
gethomepage.dev/group: "Infrastructure"
gethomepage.dev/icon: "authentik"
gethomepage.dev/description: "Identity provider (SSO)"
gethomepage.dev/href: "https://authentik.ops.eblu.me"
gethomepage.dev/pod-selector: "app=authentik"
spec:
ingressClassName: tailscale
defaultBackend:
service:
name: authentik
port:
number: 9000
tls:
- hosts:
- authentik

12
argocd/manifests/authentik/kustomization.yaml Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: authentik
resources:
- external-secret.yaml
- deployment-server.yaml
- deployment-worker.yaml
- deployment-redis.yaml
- service.yaml
- service-redis.yaml
- ingress-tailscale.yaml

14
argocd/manifests/authentik/service-redis.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: authentik-redis
namespace: authentik
spec:
selector:
app: authentik
component: redis
ports:
- name: redis
port: 6379
targetPort: 6379

14
argocd/manifests/authentik/service.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: authentik
namespace: authentik
spec:
selector:
app: authentik
component: server
ports:
- name: http
port: 9000
targetPort: 9000