install authelia

manifests/prod/addons/argo-cd/kustomization.yaml

@@ -17,3 +17,4 @@ resources:
 patches:
   - path: patches/argocd-cm.yaml
   - path: patches/argocd-cmd-params-cm.yaml
+  - path: patches/argocd-rbac-cm.yaml

manifests/prod/addons/argo-cd/patches/argocd-cm.yaml

@@ -2,7 +2,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
-#  namespace: argocd
 data:
   # this allows us to use helmCharts in kustomization.yaml files
   # it's a convenient way to reference remote helm charts
@@ -16,17 +15,19 @@ data:
   timeout.reconciliation: 3m0s
   timeout.hard.reconciliation: 5m0s
 
-# once I've handled SSO, disable the admin user
-#  admin.enabled: false
+  url: https://argocd.prod.adamland.xyz
 
-# Looks like you realistically need a github org to use SSO this way
-# https://dexidp.io/docs/connectors/github/
-#  dex.config: |
-#    connectors:
-#      # GitHub example
-#      - type: github
-#        id: github
-#        name: GitHub
-#        config:
-#          clientID: 2c4e746b39d42c6d2889
-#          clientSecret: $dex.github.clientSecret # Alternatively $<some_K8S_secret>:dex.github.clientSecret
+  dex.config: |
+      connectors:
+      - config:
+          issuer: http://authentik.prod.adamland.xyz/application/o/argocd/
+          clientID: VhCSqSGS9uTPxmTRDJymKwpl1TpQi6NYEPAebG2w
+          clientSecret: $dex.authentik.clientSecret
+          insecureEnableGroups: true
+          scopes:
+            - openid
+            - profile
+            - email
+        name: authentik
+        type: oidc
+        id: authentik

manifests/prod/addons/argo-cd/patches/argocd-rbac-cm.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  policy.csv: |
+    g, admins, role:admin

manifests/prod/addons/authentik/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authentik
+
+resources:
+  - resources/postgres.yaml
+  - resources/configmap.yaml
+
+helmCharts:
+  - name: authentik
+    includeCRDs: true
+    valuesFile: values.yaml
+    releaseName: authentik
+    version: 2023.10.4
+    repo: https://charts.goauthentik.io/

manifests/prod/addons/authentik/resources/configmap.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authentik-config
+data:
+  # https://goauthentik.io/docs/installation/configuration
+  AUTHENTIK_LOG_LEVEL: 'info'
+  AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: 'false'
+  AUTHENTIK_POSTGRESQL__USE_PGPOOL: 'false'
+  AUTHENTIK_POSTGRESQL__SSLMODE: 'verify-ca'
+  AUTHENTIK_DISABLE_UPDATE_CHECK: 'true'

manifests/prod/addons/authentik/resources/postgres.yaml

@@ -0,0 +1,13 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: pg
+spec:
+  instances: 3
+  primaryUpdateStrategy: unsupervised # automated update of the primary once all replicas have been upgraded
+  bootstrap:
+    initdb:
+      database: authentik
+      owner: authentik
+  storage:
+    size: 5Gi

manifests/prod/addons/authentik/values.yaml

@@ -0,0 +1,74 @@
+authentik:
+  secret_key: "" # we grab this from the environment
+  error_reporting:
+    enabled: false
+
+ingress:
+  enabled: true
+  ingressClassName: nginx
+  hosts:
+    - host: &domain authentik.prod.adamland.xyz
+      paths:
+        - path: "/"
+          pathType: Prefix
+  tls:
+    - secretName: authentik-ui-tls
+      hosts: [*domain]
+
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+postgresql:
+  enabled: false
+redis:
+  enabled: true
+
+envFrom:
+- configMapRef:
+    name: authentik-config
+- secretRef:
+    name: authentik-secret-key
+envValueFrom:
+  AUTHENTIK_POSTGRESQL__HOST:
+    secretKeyRef:
+      name: pg-app # generated by cnpg's postgres cluster custom resource
+      key: host
+  AUTHENTIK_POSTGRESQL__PORT:
+    secretKeyRef:
+      name: pg-app # generated by cnpg's postgres cluster custom resource
+      key: port
+  AUTHENTIK_POSTGRESQL__NAME:
+    secretKeyRef:
+      name: pg-app # generated by cnpg's postgres cluster custom resource
+      key: dbname
+  AUTHENTIK_POSTGRESQL__USER:
+    secretKeyRef:
+      name: pg-app # generated by cnpg's postgres cluster custom resource
+      key: username
+  AUTHENTIK_POSTGRES__PASSWORD:
+    secretKeyRef:
+      name: pg-app # generated by cnpg's postgres cluster custom resource
+      key: password
+  POSTGRES_PASSWORD:
+    secretKeyRef:
+      name: pg-app # generated by cnpg's postgres cluster custom resource
+      key: password
+
+# Path to x509 client certificate to authenticate to server
+#AUTHENTIK_POSTGRESQL__SSLCERT:
+#AUTHENTIK_POSTGRESQL__SSLKEY:
+
+volumes:
+  - name: root-cert
+    secret:
+      secretName: pg-ca
+      items:
+      - key: ca.crt
+        path: root.crt
+
+volumeMounts:
+  - name: root-cert
+    mountPath: /authentik/.postgresql/
+    readOnly: true

manifests/prod/addons/namespaces/argocd.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: argocd
+  name: authentik

manifests/prod/addons/namespaces/authentik.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argocd