406 lines
11 KiB
YAML
406 lines
11 KiB
YAML
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: authentik-blueprints
|
|
namespace: authentik
|
|
data:
|
|
10-undercloud-ldap.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: Undercloud LDAP Source
|
|
entries:
|
|
- model: authentik_sources_ldap.ldapsource
|
|
identifiers:
|
|
slug: ldap
|
|
attrs:
|
|
name: LDAP
|
|
enabled: true
|
|
server_uri: ldaps://dc.undercloud.local
|
|
base_dn: DC=undercloud,DC=local
|
|
bind_cn: !Env LDAP_BIND_DN
|
|
bind_password: !Env LDAP_BIND_PASSWORD
|
|
|
|
additional_user_dn: ""
|
|
additional_group_dn: ""
|
|
|
|
sync_users: true
|
|
sync_groups: true
|
|
delete_not_found_objects: false
|
|
|
|
user_matching_mode: identifier
|
|
object_uniqueness_field: objectSid
|
|
|
|
user_object_filter: "(objectClass=person)"
|
|
group_object_filter: "(objectClass=group)"
|
|
group_membership_field: member
|
|
user_membership_attribute: distinguishedName
|
|
lookup_groups_from_user: false
|
|
|
|
start_tls: false
|
|
sni: false
|
|
|
|
user_path_template: goauthentik.io/sources/%(slug)s
|
|
|
|
user_property_mappings:
|
|
- !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: givenName"]]
|
|
- !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: sAMAccountName"]]
|
|
- !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: sn"]]
|
|
- !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default Active Directory Mapping: userPrincipalName"]]
|
|
- !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default LDAP Mapping: mail"]]
|
|
- !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default LDAP Mapping: Name"]]
|
|
|
|
group_property_mappings:
|
|
- !Find [authentik_sources_ldap.ldapsourcepropertymapping, [name, "authentik default OpenLDAP Mapping: cn"]]
|
|
|
|
20-grafana.yaml: |
|
|
version: 1
|
|
metadata:
|
|
name: Grafana OAuth
|
|
|
|
entries:
|
|
|
|
- id: grafana-provider
|
|
model: authentik_providers_oauth2.oauth2provider
|
|
identifiers:
|
|
name: Provider for Grafana
|
|
attrs:
|
|
name: Provider for Grafana
|
|
|
|
client_type: confidential
|
|
client_id: SI9HboFt4LgJWlMkLn1WBaCoB05tzOh4yxx3n1yM
|
|
client_secret: jkornwtUxhDN9cRAktJhcolMywXpqOng9F8b9sVXeYbl7dyrta54LXPYqf24sTFrxHcd76OqM2CPtEVHZFTTuQywe1RwN5Gzax6QgOG41lU24QAxHtSLFym3G2bLZlc8
|
|
|
|
authorization_flow: !Find [authentik_flows.flow, [slug, "default-provider-authorization-implicit-consent"]]
|
|
invalidation_flow: !Find [authentik_flows.flow, [slug, "default-provider-invalidation-flow"]]
|
|
|
|
redirect_uris:
|
|
- matching_mode: strict
|
|
url: https://grafana.apps.undercloud.dev/login/generic_oauth
|
|
|
|
logout_uri: https://grafana.apps.undercloud.dev/logout
|
|
logout_method: backchannel
|
|
|
|
issuer_mode: per_provider
|
|
sub_mode: hashed_user_id
|
|
include_claims_in_id_token: true
|
|
|
|
access_code_validity: minutes=1
|
|
access_token_validity: minutes=5
|
|
refresh_token_threshold: hours=1
|
|
refresh_token_validity: days=30
|
|
|
|
property_mappings:
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "openid"]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "profile"]]
|
|
- !Find [authentik_providers_oauth2.scopemapping, [scope_name, "email"]]
|
|
|
|
- model: authentik_core.application
|
|
identifiers:
|
|
slug: grafana
|
|
attrs:
|
|
name: Grafana
|
|
slug: grafana
|
|
provider: !KeyOf grafana-provider
|
|
launch_url: https://grafana.apps.undercloud.dev
|
|
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: postgres-data
|
|
namespace: authentik
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 10Gi
|
|
storageClassName: cephfs-hyper
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: PersistentVolumeClaim
|
|
metadata:
|
|
name: authentik-media
|
|
namespace: authentik
|
|
spec:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: 5Gi
|
|
storageClassName: cephfs-hyper
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: postgresql
|
|
namespace: authentik
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: postgresql
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: postgresql
|
|
spec:
|
|
containers:
|
|
- name: postgresql
|
|
image: postgres:16
|
|
imagePullPolicy: IfNotPresent
|
|
env:
|
|
- name: POSTGRES_DB
|
|
value: authentik
|
|
- name: POSTGRES_USER
|
|
value: authentik
|
|
- name: POSTGRES_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secrets
|
|
key: POSTGRES_PASSWORD
|
|
ports:
|
|
- containerPort: 5432
|
|
name: postgres
|
|
volumeMounts:
|
|
- name: postgres-data
|
|
mountPath: /var/lib/postgresql/data
|
|
readinessProbe:
|
|
exec:
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- pg_isready -U authentik -d authentik
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 10
|
|
livenessProbe:
|
|
exec:
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- pg_isready -U authentik -d authentik
|
|
initialDelaySeconds: 30
|
|
periodSeconds: 20
|
|
volumes:
|
|
- name: postgres-data
|
|
persistentVolumeClaim:
|
|
claimName: postgres-data
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: postgresql
|
|
namespace: authentik
|
|
spec:
|
|
selector:
|
|
app: postgresql
|
|
ports:
|
|
- name: postgres
|
|
port: 5432
|
|
targetPort: 5432
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: authentik-server
|
|
namespace: authentik
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: authentik-server
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: authentik-server
|
|
spec:
|
|
securityContext:
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
containers:
|
|
- name: authentik
|
|
image: ghcr.io/goauthentik/server:2026.2
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- server
|
|
env:
|
|
- name: AUTHENTIK_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secrets
|
|
key: AUTHENTIK_SECRET_KEY
|
|
- name: AUTHENTIK_POSTGRESQL__HOST
|
|
value: postgresql
|
|
- name: AUTHENTIK_POSTGRESQL__PORT
|
|
value: "5432"
|
|
- name: AUTHENTIK_POSTGRESQL__NAME
|
|
value: authentik
|
|
- name: AUTHENTIK_POSTGRESQL__USER
|
|
value: authentik
|
|
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secrets
|
|
key: POSTGRES_PASSWORD
|
|
- name: AUTHENTIK_ERROR_REPORTING__ENABLED
|
|
value: "false"
|
|
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
|
|
value: "true"
|
|
- name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
|
|
value: "true"
|
|
ports:
|
|
- containerPort: 9000
|
|
name: http
|
|
- containerPort: 9443
|
|
name: https
|
|
- containerPort: 9300
|
|
name: metrics
|
|
volumeMounts:
|
|
- name: authentik-media
|
|
mountPath: /data
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /-/health/ready/
|
|
port: 9000
|
|
scheme: HTTP
|
|
initialDelaySeconds: 20
|
|
periodSeconds: 10
|
|
timeoutSeconds: 10
|
|
failureThreshold: 12
|
|
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /-/health/live/
|
|
port: 9000
|
|
scheme: HTTP
|
|
initialDelaySeconds: 60
|
|
periodSeconds: 20
|
|
timeoutSeconds: 10
|
|
failureThreshold: 6
|
|
|
|
startupProbe:
|
|
httpGet:
|
|
path: /-/health/live/
|
|
port: 9000
|
|
scheme: HTTP
|
|
periodSeconds: 10
|
|
timeoutSeconds: 10
|
|
failureThreshold: 30
|
|
volumes:
|
|
- name: authentik-media
|
|
persistentVolumeClaim:
|
|
claimName: authentik-media
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: authentik-worker
|
|
namespace: authentik
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: authentik-worker
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: authentik-worker
|
|
spec:
|
|
containers:
|
|
- name: authentik-worker
|
|
image: ghcr.io/goauthentik/server:2026.2
|
|
imagePullPolicy: IfNotPresent
|
|
args:
|
|
- worker
|
|
env:
|
|
- name: AUTHENTIK_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secrets
|
|
key: AUTHENTIK_SECRET_KEY
|
|
- name: AUTHENTIK_POSTGRESQL__HOST
|
|
value: postgresql
|
|
- name: AUTHENTIK_POSTGRESQL__PORT
|
|
value: "5432"
|
|
- name: AUTHENTIK_POSTGRESQL__NAME
|
|
value: authentik
|
|
- name: AUTHENTIK_POSTGRESQL__USER
|
|
value: authentik
|
|
- name: AUTHENTIK_POSTGRESQL__PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-secrets
|
|
key: POSTGRES_PASSWORD
|
|
- name: AUTHENTIK_ERROR_REPORTING__ENABLED
|
|
value: "false"
|
|
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
|
|
value: "true"
|
|
- name: AUTHENTIK_DISABLE_STARTUP_ANALYTICS
|
|
value: "true"
|
|
|
|
- name: LDAP_BIND_DN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-ldap-secrets
|
|
key: LDAP_BIND_DN
|
|
- name: LDAP_BIND_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-ldap-secrets
|
|
key: LDAP_BIND_PASSWORD
|
|
|
|
- name: AUTHENTIK_BOOTSTRAP_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-bootstrap
|
|
key: AUTHENTIK_BOOTSTRAP_PASSWORD
|
|
- name: AUTHENTIK_BOOTSTRAP_EMAIL
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-bootstrap
|
|
key: AUTHENTIK_BOOTSTRAP_EMAIL
|
|
- name: AUTHENTIK_BOOTSTRAP_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: authentik-bootstrap
|
|
key: AUTHENTIK_BOOTSTRAP_TOKEN
|
|
|
|
volumeMounts:
|
|
- name: authentik-media
|
|
mountPath: /data
|
|
- name: authentik-blueprints
|
|
mountPath: /blueprints
|
|
readOnly: true
|
|
|
|
volumes:
|
|
- name: authentik-media
|
|
persistentVolumeClaim:
|
|
claimName: authentik-media
|
|
- name: authentik-blueprints
|
|
configMap:
|
|
name: authentik-blueprints
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: authentik
|
|
namespace: authentik
|
|
spec:
|
|
selector:
|
|
app: authentik-server
|
|
ports:
|
|
- name: http
|
|
port: 80
|
|
targetPort: 9000
|
|
|
|
---
|