Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

.

Browse Source
This commit is contained in:
Gitea Root Administrator
2026-03-29 16:32:45 +00:00
parent 12d894db38
commit 8dd5ab81eb
5 changed files with 278 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

164
authentik/authentik.yaml
View File

@@ -1,18 +1,94 @@
apiVersion: v1
kind: Namespace
metadata:
name: authentik
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: ConfigMap
metadata: metadata:
name: authentik-secrets name: authentik-blueprints
namespace: authentik namespace: authentik
type: Opaque data:
stringData: 10-undercloud-ldap.yaml: |
AUTHENTIK_SECRET_KEY: "replace-with-a-long-random-secret-key" version: 1
POSTGRES_PASSWORD: "replace-with-postgres-password" metadata:
name: Undercloud LDAP Source
entries:
- model: authentik_sources_ldap.ldapsource
identifiers:
slug: ldap
attrs:
name: LDAP
enabled: true
server_uri: ldaps://dc.undercloud.local
base_dn: DC=undercloud,DC=local
bind_cn: !Env LDAP_BIND_DN
bind_password: !Env LDAP_BIND_PASSWORD
additional_user_dn: ""
additional_group_dn: ""
sync_users: true
sync_groups: true
sync_users_password: true
delete_not_found_objects: false
user_matching_mode: identifier
object_uniqueness_field: objectSid
user_object_filter: "(objectClass=person)"
group_object_filter: "(objectClass=group)"
group_membership_field: member
user_membership_attribute: distinguishedName
lookup_groups_from_user: false
start_tls: false
sni: false
user_path_template: goauthentik.io/sources/%(slug)s
20-grafana.yaml: |
version: 1
metadata:
name: Grafana OAuth
entries:
- id: grafana-provider
model: authentik_providers_oauth2.oauth2provider
identifiers:
name: Provider for Grafana
attrs:
name: Provider for Grafana
client_type: confidential
client_id: SI9HboFt4LgJWlMkLn1WBaCoB05tzOh4yxx3n1yM
client_secret: jkornwtUxhDN9cRAktJhcolMywXpqOng9F8b9sVXeYbl7dyrta54LXPYqf24sTFrxHcd76OqM2CPtEVHZFTTuQywe1RwN5Gzax6QgOG41lU24QAxHtSLFym3G2bLZlc8
authorization_flow: !Find [authentik_flows.flow, [slug, "default-provider-authorization-implicit-consent"]]
invalidation_flow: !Find [authentik_flows.flow, [slug, "default-provider-invalidation-flow"]]
redirect_uris:
- matching_mode: strict
url: https://grafana.apps.undercloud.dev/login/generic_oauth
logout_uri: https://grafana.apps.undercloud.dev/logout
logout_method: backchannel
issuer_mode: per_provider
sub_mode: hashed_user_id
include_claims_in_id_token: true
access_code_validity: minutes=1
access_token_validity: minutes=5
refresh_token_threshold: hours=1
refresh_token_validity: days=30
property_mappings:
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "openid"]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "profile"]]
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
- model: authentik_core.application
identifiers:
slug: grafana
attrs:
name: Grafana
slug: grafana
provider: !KeyOf grafana-provider
launch_url: https://grafana.apps.undercloud.dev
--- ---
apiVersion: v1 apiVersion: v1
@@ -169,7 +245,7 @@ spec:
name: metrics name: metrics
volumeMounts: volumeMounts:
- name: authentik-media - name: authentik-media
mountPath: /media mountPath: /data
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /-/health/ready/ path: /-/health/ready/
@@ -190,7 +266,6 @@ spec:
- name: authentik-media - name: authentik-media
persistentVolumeClaim: persistentVolumeClaim:
claimName: authentik-media claimName: authentik-media
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@@ -238,13 +313,49 @@ spec:
value: "true" value: "true"
- name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS - name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
value: "true" value: "true"
- name: LDAP_BIND_DN
valueFrom:
secretKeyRef:
name: authentik-ldap-secrets
key: LDAP_BIND_DN
- name: LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: authentik-ldap-secrets
key: LDAP_BIND_PASSWORD
- name: AUTHENTIK_BOOTSTRAP_PASSWORD
valueFrom:
secretKeyRef:
name: authentik-bootstrap
key: AUTHENTIK_BOOTSTRAP_PASSWORD
- name: AUTHENTIK_BOOTSTRAP_EMAIL
valueFrom:
secretKeyRef:
name: authentik-bootstrap
key: AUTHENTIK_BOOTSTRAP_EMAIL
- name: AUTHENTIK_BOOTSTRAP_TOKEN
valueFrom:
secretKeyRef:
name: authentik-bootstrap
key: AUTHENTIK_BOOTSTRAP_TOKEN
volumeMounts: volumeMounts:
- name: authentik-media - name: authentik-media
mountPath: /media mountPath: /data
- name: authentik-blueprints
mountPath: /blueprints/10-undercloud-ldap.yaml
subPath: 10-undercloud-ldap.yaml
readOnly: true
volumes: volumes:
- name: authentik-media - name: authentik-media
persistentVolumeClaim: persistentVolumeClaim:
claimName: authentik-media claimName: authentik-media
- name: authentik-blueprints
configMap:
name: authentik-blueprints
--- ---
apiVersion: v1 apiVersion: v1
@@ -261,30 +372,3 @@ spec:
targetPort: 9000 targetPort: 9000
--- ---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authentik
namespace: authentik
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/proxy-body-size: "16m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
spec:
tls:
- hosts:
- auth.apps.undercloud.dev
secretName: authentik-tls
rules:
- host: auth.apps.undercloud.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: authentik
port:
number: 80

90
authentik/backup.yaml Normal file
View File

@@ -0,0 +1,90 @@
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: bookstack-csi-hourly
namespace: velero
spec:
schedule: "0 15-22 * * *"
useOwnerReferencesInBackup: true
template:
includedNamespaces: ["bookstack"]
ttl: 8h
snapshotVolumes: true
defaultVolumesToFsBackup: false
csiSnapshotTimeout: 10m
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: bookstack-csi-daily
namespace: velero
spec:
schedule: "0 0 * * *"
useOwnerReferencesInBackup: true
template:
includedNamespaces: ["bookstack"]
ttl: 168h
snapshotVolumes: true
defaultVolumesToFsBackup: false
csiSnapshotTimeout: 10m
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: bookstack-csi-weekly
namespace: velero
spec:
schedule: "0 0 * * 1"
useOwnerReferencesInBackup: true
template:
includedNamespaces: ["bookstack"]
ttl: 730h
snapshotVolumes: true
defaultVolumesToFsBackup: false
csiSnapshotTimeout: 10m
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: bookstack-daily
namespace: velero
spec:
schedule: "30 2 * * *" # tous les jours 02:30
useOwnerReferencesInBackup: true
template:
includedNamespaces: [bookstack]
storageLocation: default
ttl: 336h # ~14 jours
snapshotVolumes: false
defaultVolumesToFsBackup: true
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: bookstack-weekly
namespace: velero
spec:
schedule: "0 3 * * 0" # chaque dimanche 03:00
useOwnerReferencesInBackup: true
template:
includedNamespaces: [bookstack]
storageLocation: default
ttl: 1344h # ~8 semaines
snapshotVolumes: false
defaultVolumesToFsBackup: true
---
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: bookstack-monthly
namespace: velero
spec:
schedule: "0 4 1 * *" # 1er du mois 04:00
useOwnerReferencesInBackup: true
template:
includedNamespaces: [bookstack]
storageLocation: default
ttl: 8760h # ~12 mois
snapshotVolumes: false
defaultVolumesToFsBackup: true

27
authentik/ingress.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authentik
namespace: authentik
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
nginx.ingress.kubernetes.io/proxy-body-size: "16m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
spec:
tls:
- hosts:
- auth.apps.undercloud.dev
secretName: authentik-tls
rules:
- host: auth.apps.undercloud.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: authentik
port:
number: 80

6
authentik/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: authentik
---

31
authentik/secrets.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: v1
kind: Secret
metadata:
name: authentik-secrets
namespace: authentik
type: Opaque
stringData:
AUTHENTIK_SECRET_KEY: "replace-with-a-long-random-secret-key"
POSTGRES_PASSWORD: "replace-with-postgres-password"
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-ldap-secrets
namespace: authentik
type: Opaque
stringData:
LDAP_BIND_DN: "CN=authentik,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local"
LDAP_BIND_PASSWORD: "thisismysecureLDAPPWauthentik"
---
apiVersion: v1
kind: Secret
metadata:
name: authentik-bootstrap
namespace: authentik
type: Opaque
stringData:
AUTHENTIK_BOOTSTRAP_PASSWORD: "4IsTheMindKiller"
AUTHENTIK_BOOTSTRAP_EMAIL: "thrawn235@gmail.com"
AUTHENTIK_BOOTSTRAP_TOKEN: "REPLACE_WITH_LONG_RANDOM_TOKENdsg;akhgkl;has;s#$%"