Added authentik

k8s/core/authentik/external-secrets.yaml

@@ -0,0 +1,46 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-creds
+  namespace: authentik
+spec:
+  target:
+    name: authentik-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        AUTHENTIK_HOST: "https://idm.hexor.cy"
+        AUTHENTIK_COOKIE_DOMAIN: "hexor.cy"
+        AUTHENTIK_POSTGRESQL__USER: |-
+          {{ .username }}
+        AUTHENTIK_POSTGRESQL__PASSWORD: |-
+          {{ .password }}
+        AUTHENTIK_SECRET_KEY: |-
+          {{ .secret_key }}
+  data:
+    - secretKey: password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
+        property: login.password
+    - secretKey: username
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
+        property: login.username
+    - secretKey: secret_key
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
+        property: fields[0].value
+

k8s/core/authentik/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - external-secrets.yaml
+
+helmCharts:
+  - name: authentik
+    repo: https://charts.goauthentik.io
+    version: 2025.2.3
+    releaseName: authentik
+    namespace: authentik
+    valuesFile: values.yaml
+    includeCRDs: true
+

k8s/core/authentik/values.yaml

@@ -0,0 +1,46 @@
+global:
+  nodeSelector:
+    kubernetes.io/hostname: master.tail2fe2d.ts.net
+authentik:
+    error_reporting:
+        enabled: true
+    postgresql:
+        name: "authentik"
+        host: "psql.psql.svc"
+        port: 5432
+worker:
+  envFrom:
+    - secretRef:
+        name: authentik-creds
+server:
+  envFrom:
+    - secretRef:
+        name: authentik-creds
+  image:
+    tag: "2025.2.3"
+  ingress:
+      enabled: true
+      ingressClassName: traefik
+      annotations: 
+        cert-manager.io/cluster-issuer: letsencrypt
+        traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+      hosts:
+        - idm.hexor.cy
+        - nas.hexor.cy      # TrueNAS Limassol
+        - nc.hexor.cy       # NaxtCloud
+        - of.hexor.cy       # Outfleet-v2
+        - master.hexor.cy   # k8s dashboard
+        - qbt.hexor.cy      # qBittorent for Jellyfin
+        - prom.hexor.cy     # Prometheus
+        - ss.hexor.cy       # Syncthing UI
+        - khm.hexor.cy      # Known Hosts keys Manager
+        - backup.hexor.cy   # Kopia Backup UI
+        - fm.hexor.cy       # Filemanager
+        - hexound.hexor.cy  # Hexound
+      tls:
+        - secretName: idm-tls
+          hosts:
+            - '*.hexor.cy'
+redis:
+    enabled: true
+

k8s/state/core/authentik.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik
+  namespace: argocd
+spec:
+  project: homelab
+  destination:
+    namespace: authentik
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/core/authentik
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
+