.

authentik/authentik.yaml

@@ -1,18 +1,94 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: authentik
 
 ---
 apiVersion: v1
-kind: Secret
+kind: ConfigMap
 metadata:
-  name: authentik-secrets
+  name: authentik-blueprints
   namespace: authentik
-type: Opaque
-stringData:
-  AUTHENTIK_SECRET_KEY: "replace-with-a-long-random-secret-key"
-  POSTGRES_PASSWORD: "replace-with-postgres-password"
+data:
+  10-undercloud-ldap.yaml: |
+    version: 1
+    metadata:
+      name: Undercloud LDAP Source
+    entries:
+      - model: authentik_sources_ldap.ldapsource
+        identifiers:
+          slug: ldap
+        attrs:
+          name: LDAP
+          enabled: true
+          server_uri: ldaps://dc.undercloud.local
+          base_dn: DC=undercloud,DC=local
+          bind_cn: !Env LDAP_BIND_DN
+          bind_password: !Env LDAP_BIND_PASSWORD
+          additional_user_dn: ""
+          additional_group_dn: ""
+          sync_users: true
+          sync_groups: true
+          sync_users_password: true
+          delete_not_found_objects: false
+          user_matching_mode: identifier
+          object_uniqueness_field: objectSid
+          user_object_filter: "(objectClass=person)"
+          group_object_filter: "(objectClass=group)"
+          group_membership_field: member
+          user_membership_attribute: distinguishedName
+          lookup_groups_from_user: false
+          start_tls: false
+          sni: false
+          user_path_template: goauthentik.io/sources/%(slug)s
+
+  20-grafana.yaml: |
+    version: 1
+    metadata:
+      name: Grafana OAuth
+
+    entries:
+
+      - id: grafana-provider
+        model: authentik_providers_oauth2.oauth2provider
+        identifiers:
+          name: Provider for Grafana
+        attrs:
+          name: Provider for Grafana
+
+          client_type: confidential
+          client_id: SI9HboFt4LgJWlMkLn1WBaCoB05tzOh4yxx3n1yM
+          client_secret: jkornwtUxhDN9cRAktJhcolMywXpqOng9F8b9sVXeYbl7dyrta54LXPYqf24sTFrxHcd76OqM2CPtEVHZFTTuQywe1RwN5Gzax6QgOG41lU24QAxHtSLFym3G2bLZlc8
+
+          authorization_flow: !Find [authentik_flows.flow, [slug, "default-provider-authorization-implicit-consent"]]
+          invalidation_flow: !Find [authentik_flows.flow, [slug, "default-provider-invalidation-flow"]]
+
+          redirect_uris:
+            - matching_mode: strict
+              url: https://grafana.apps.undercloud.dev/login/generic_oauth
+
+          logout_uri: https://grafana.apps.undercloud.dev/logout
+          logout_method: backchannel
+
+          issuer_mode: per_provider
+          sub_mode: hashed_user_id
+          include_claims_in_id_token: true
+
+          access_code_validity: minutes=1
+          access_token_validity: minutes=5
+          refresh_token_threshold: hours=1
+          refresh_token_validity: days=30
+
+          property_mappings:
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "openid"]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "profile"]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
+
+      - model: authentik_core.application
+        identifiers:
+          slug: grafana
+        attrs:
+          name: Grafana
+          slug: grafana
+          provider: !KeyOf grafana-provider
+          launch_url: https://grafana.apps.undercloud.dev
+
 
 ---
 apiVersion: v1
@@ -169,7 +245,7 @@ spec:
               name: metrics
           volumeMounts:
             - name: authentik-media
-              mountPath: /media
+              mountPath: /data
           readinessProbe:
             httpGet:
               path: /-/health/ready/
@@ -190,7 +266,6 @@ spec:
         - name: authentik-media
           persistentVolumeClaim:
             claimName: authentik-media
-
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -238,13 +313,49 @@ spec:
               value: "true"
             - name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
               value: "true"
+
+            - name: LDAP_BIND_DN
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-ldap-secrets
+                  key: LDAP_BIND_DN
+            - name: LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-ldap-secrets
+                  key: LDAP_BIND_PASSWORD
+
+            - name: AUTHENTIK_BOOTSTRAP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-bootstrap
+                  key: AUTHENTIK_BOOTSTRAP_PASSWORD
+            - name: AUTHENTIK_BOOTSTRAP_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-bootstrap
+                  key: AUTHENTIK_BOOTSTRAP_EMAIL
+            - name: AUTHENTIK_BOOTSTRAP_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-bootstrap
+                  key: AUTHENTIK_BOOTSTRAP_TOKEN
+
           volumeMounts:
             - name: authentik-media
-              mountPath: /media
+              mountPath: /data
+            - name: authentik-blueprints
+              mountPath: /blueprints/10-undercloud-ldap.yaml
+              subPath: 10-undercloud-ldap.yaml
+              readOnly: true
+
       volumes:
         - name: authentik-media
           persistentVolumeClaim:
             claimName: authentik-media
+        - name: authentik-blueprints
+          configMap:
+            name: authentik-blueprints
 
 ---
 apiVersion: v1
@@ -261,30 +372,3 @@ spec:
       targetPort: 9000
 
 ---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: authentik
-  namespace: authentik
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt
-    nginx.ingress.kubernetes.io/proxy-body-size: "16m"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
-spec:
-  tls:
-    - hosts:
-        - auth.apps.undercloud.dev
-      secretName: authentik-tls
-  rules:
-    - host: auth.apps.undercloud.dev
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: authentik
-                port:
-                  number: 80

authentik/backup.yaml

@@ -0,0 +1,90 @@
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: bookstack-csi-hourly
+  namespace: velero
+spec:
+  schedule: "0 15-22 * * *"
+  useOwnerReferencesInBackup: true
+  template:
+    includedNamespaces: ["bookstack"]
+    ttl: 8h
+    snapshotVolumes: true
+    defaultVolumesToFsBackup: false
+    csiSnapshotTimeout: 10m
+---
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: bookstack-csi-daily
+  namespace: velero
+spec:
+  schedule: "0 0 * * *"
+  useOwnerReferencesInBackup: true
+  template:
+    includedNamespaces: ["bookstack"]
+    ttl: 168h
+    snapshotVolumes: true
+    defaultVolumesToFsBackup: false
+    csiSnapshotTimeout: 10m
+---
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: bookstack-csi-weekly
+  namespace: velero
+spec:
+  schedule: "0 0 * * 1"
+  useOwnerReferencesInBackup: true
+  template:
+    includedNamespaces: ["bookstack"]
+    ttl: 730h
+    snapshotVolumes: true
+    defaultVolumesToFsBackup: false
+    csiSnapshotTimeout: 10m
+---
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: bookstack-daily
+  namespace: velero
+spec:
+  schedule: "30 2 * * *"            # tous les jours 02:30
+  useOwnerReferencesInBackup: true
+  template:
+    includedNamespaces: [bookstack]
+    storageLocation: default
+    ttl: 336h                       # ~14 jours
+    snapshotVolumes: false
+    defaultVolumesToFsBackup: true
+
+---
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: bookstack-weekly
+  namespace: velero
+spec:
+  schedule: "0 3 * * 0"             # chaque dimanche 03:00
+  useOwnerReferencesInBackup: true
+  template:
+    includedNamespaces: [bookstack]
+    storageLocation: default
+    ttl: 1344h                      # ~8 semaines
+    snapshotVolumes: false
+    defaultVolumesToFsBackup: true
+---
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: bookstack-monthly
+  namespace: velero
+spec:
+  schedule: "0 4 1 * *"          # 1er du mois 04:00
+  useOwnerReferencesInBackup: true
+  template:
+    includedNamespaces: [bookstack]
+    storageLocation: default
+    ttl: 8760h                   # ~12 mois
+    snapshotVolumes: false
+    defaultVolumesToFsBackup: true

authentik/ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authentik
+  namespace: authentik
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/proxy-body-size: "16m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
+spec:
+  tls:
+    - hosts:
+        - auth.apps.undercloud.dev
+      secretName: authentik-tls
+  rules:
+    - host: auth.apps.undercloud.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: authentik
+                port:
+                  number: 80

authentik/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik
+
+---

authentik/secrets.yaml

@@ -0,0 +1,31 @@
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-secrets
+  namespace: authentik
+type: Opaque
+stringData:
+  AUTHENTIK_SECRET_KEY: "replace-with-a-long-random-secret-key"
+  POSTGRES_PASSWORD: "replace-with-postgres-password"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-ldap-secrets
+  namespace: authentik
+type: Opaque
+stringData:
+  LDAP_BIND_DN: "CN=authentik,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local"
+  LDAP_BIND_PASSWORD: "thisismysecureLDAPPWauthentik"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authentik-bootstrap
+  namespace: authentik
+type: Opaque
+stringData:
+  AUTHENTIK_BOOTSTRAP_PASSWORD: "4IsTheMindKiller"
+  AUTHENTIK_BOOTSTRAP_EMAIL: "thrawn235@gmail.com"
+  AUTHENTIK_BOOTSTRAP_TOKEN: "REPLACE_WITH_LONG_RANDOM_TOKENdsg;akhgkl;has;s#$%"