--- apiVersion: v1 kind: ConfigMap metadata: name: authentik-blueprints namespace: authentik data: 10-undercloud-ldap.yaml: | version: 1 metadata: name: Undercloud LDAP Source entries: - model: authentik_sources_ldap.ldapsource identifiers: slug: ldap attrs: name: LDAP enabled: true server_uri: ldaps://dc.undercloud.local base_dn: DC=undercloud,DC=local bind_cn: !Env LDAP_BIND_DN bind_password: !Env LDAP_BIND_PASSWORD additional_user_dn: "" additional_group_dn: "" sync_users: true sync_groups: true delete_not_found_objects: false user_matching_mode: identifier object_uniqueness_field: objectSid user_object_filter: "(objectClass=person)" group_object_filter: "(objectClass=group)" group_membership_field: member user_membership_attribute: distinguishedName lookup_groups_from_user: false start_tls: false sni: false user_path_template: goauthentik.io/sources/%(slug)s user_property_mappings: - !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: givenName"]] - !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: sAMAccountName"]] - !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: sn"]] - !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: userPrincipalName"]] - !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default LDAP Mapping: mail"]] - !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default LDAP Mapping: Name"]] group_property_mappings: - !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default OpenLDAP Mapping: cn"]] 20-grafana.yaml: | version: 1 metadata: name: Grafana OAuth entries: - id: grafana-provider model: authentik_providers_oauth2.oauth2provider identifiers: name: Provider for Grafana attrs: name: Provider for Grafana client_type: confidential client_id: SI9HboFt4LgJWlMkLn1WBaCoB05tzOh4yxx3n1yM client_secret: jkornwtUxhDN9cRAktJhcolMywXpqOng9F8b9sVXeYbl7dyrta54LXPYqf24sTFrxHcd76OqM2CPtEVHZFTTuQywe1RwN5Gzax6QgOG41lU24QAxHtSLFym3G2bLZlc8 authorization_flow: !Find [authentik_flows.flow, [slug, "default-provider-authorization-implicit-consent"]] invalidation_flow: !Find [authentik_flows.flow, [slug, "default-provider-invalidation-flow"]] redirect_uris: - matching_mode: strict url: https://grafana.apps.undercloud.dev/login/generic_oauth logout_uri: https://grafana.apps.undercloud.dev/logout logout_method: backchannel issuer_mode: per_provider sub_mode: hashed_user_id include_claims_in_id_token: true access_code_validity: minutes=1 access_token_validity: minutes=5 refresh_token_threshold: hours=1 refresh_token_validity: days=30 property_mappings: - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "openid"]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "profile"]] - !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]] - model: authentik_core.application identifiers: slug: grafana attrs: name: Grafana slug: grafana provider: !KeyOf grafana-provider launch_url: https://grafana.apps.undercloud.dev --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: postgres-data namespace: authentik spec: accessModes: - ReadWriteOnce resources: requests: storage: 10Gi storageClassName: cephfs-hyper --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: authentik-media namespace: authentik spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi storageClassName: cephfs-hyper --- apiVersion: apps/v1 kind: Deployment metadata: name: postgresql namespace: authentik spec: replicas: 1 selector: matchLabels: app: postgresql template: metadata: labels: app: postgresql spec: containers: - name: postgresql image: postgres:16 imagePullPolicy: IfNotPresent env: - name: POSTGRES_DB value: authentik - name: POSTGRES_USER value: authentik - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: authentik-secrets key: POSTGRES_PASSWORD ports: - containerPort: 5432 name: postgres volumeMounts: - name: postgres-data mountPath: /var/lib/postgresql/data readinessProbe: exec: command: - /bin/sh - -c - pg_isready -U authentik -d authentik initialDelaySeconds: 10 periodSeconds: 10 livenessProbe: exec: command: - /bin/sh - -c - pg_isready -U authentik -d authentik initialDelaySeconds: 30 periodSeconds: 20 volumes: - name: postgres-data persistentVolumeClaim: claimName: postgres-data --- apiVersion: v1 kind: Service metadata: name: postgresql namespace: authentik spec: selector: app: postgresql ports: - name: postgres port: 5432 targetPort: 5432 --- apiVersion: apps/v1 kind: Deployment metadata: name: authentik-server namespace: authentik spec: replicas: 1 selector: matchLabels: app: authentik-server template: metadata: labels: app: authentik-server spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: authentik image: ghcr.io/goauthentik/server:2026.2 imagePullPolicy: IfNotPresent args: - server env: - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: name: authentik-secrets key: AUTHENTIK_SECRET_KEY - name: AUTHENTIK_POSTGRESQL__HOST value: postgresql - name: AUTHENTIK_POSTGRESQL__PORT value: "5432" - name: AUTHENTIK_POSTGRESQL__NAME value: authentik - name: AUTHENTIK_POSTGRESQL__USER value: authentik - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-secrets key: POSTGRES_PASSWORD - name: AUTHENTIK_ERROR_REPORTING__ENABLED value: "false" - name: AUTHENTIK_DISABLE_UPDATE_CHECK value: "true" - name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS value: "true" ports: - containerPort: 9000 name: http - containerPort: 9443 name: https - containerPort: 9300 name: metrics volumeMounts: - name: authentik-media mountPath: /data readinessProbe: httpGet: path: /-/health/ready/ port: 9000 scheme: HTTP initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 10 failureThreshold: 12 livenessProbe: httpGet: path: /-/health/live/ port: 9000 scheme: HTTP initialDelaySeconds: 60 periodSeconds: 20 timeoutSeconds: 10 failureThreshold: 6 startupProbe: httpGet: path: /-/health/live/ port: 9000 scheme: HTTP periodSeconds: 10 timeoutSeconds: 10 failureThreshold: 30 volumes: - name: authentik-media persistentVolumeClaim: claimName: authentik-media --- apiVersion: apps/v1 kind: Deployment metadata: name: authentik-worker namespace: authentik spec: replicas: 1 selector: matchLabels: app: authentik-worker template: metadata: labels: app: authentik-worker spec: containers: - name: authentik-worker image: ghcr.io/goauthentik/server:2026.2 imagePullPolicy: IfNotPresent args: - worker env: - name: AUTHENTIK_SECRET_KEY valueFrom: secretKeyRef: name: authentik-secrets key: AUTHENTIK_SECRET_KEY - name: AUTHENTIK_POSTGRESQL__HOST value: postgresql - name: AUTHENTIK_POSTGRESQL__PORT value: "5432" - name: AUTHENTIK_POSTGRESQL__NAME value: authentik - name: AUTHENTIK_POSTGRESQL__USER value: authentik - name: AUTHENTIK_POSTGRESQL__PASSWORD valueFrom: secretKeyRef: name: authentik-secrets key: POSTGRES_PASSWORD - name: AUTHENTIK_ERROR_REPORTING__ENABLED value: "false" - name: AUTHENTIK_DISABLE_UPDATE_CHECK value: "true" - name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS value: "true" - name: LDAP_BIND_DN valueFrom: secretKeyRef: name: authentik-ldap-secrets key: LDAP_BIND_DN - name: LDAP_BIND_PASSWORD valueFrom: secretKeyRef: name: authentik-ldap-secrets key: LDAP_BIND_PASSWORD - name: AUTHENTIK_BOOTSTRAP_PASSWORD valueFrom: secretKeyRef: name: authentik-bootstrap key: AUTHENTIK_BOOTSTRAP_PASSWORD - name: AUTHENTIK_BOOTSTRAP_EMAIL valueFrom: secretKeyRef: name: authentik-bootstrap key: AUTHENTIK_BOOTSTRAP_EMAIL - name: AUTHENTIK_BOOTSTRAP_TOKEN valueFrom: secretKeyRef: name: authentik-bootstrap key: AUTHENTIK_BOOTSTRAP_TOKEN volumeMounts: - name: authentik-media mountPath: /data - name: authentik-blueprints mountPath: /blueprints readOnly: true volumes: - name: authentik-media persistentVolumeClaim: claimName: authentik-media - name: authentik-blueprints configMap: name: authentik-blueprints --- apiVersion: v1 kind: Service metadata: name: authentik namespace: authentik spec: selector: app: authentik-server ports: - name: http port: 80 targetPort: 9000 ---