diff --git a/manifests/prod/addons/argo-cd/kustomization.yaml b/manifests/prod/addons/argo-cd/kustomization.yaml index 7cb5c5c..8d76d0e 100644 --- a/manifests/prod/addons/argo-cd/kustomization.yaml +++ b/manifests/prod/addons/argo-cd/kustomization.yaml @@ -17,3 +17,4 @@ resources: patches: - path: patches/argocd-cm.yaml - path: patches/argocd-cmd-params-cm.yaml + - path: patches/argocd-rbac-cm.yaml diff --git a/manifests/prod/addons/argo-cd/patches/argocd-cm.yaml b/manifests/prod/addons/argo-cd/patches/argocd-cm.yaml index 7286028..64f9bb2 100644 --- a/manifests/prod/addons/argo-cd/patches/argocd-cm.yaml +++ b/manifests/prod/addons/argo-cd/patches/argocd-cm.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: argocd-cm -# namespace: argocd data: # this allows us to use helmCharts in kustomization.yaml files # it's a convenient way to reference remote helm charts @@ -16,17 +15,19 @@ data: timeout.reconciliation: 3m0s timeout.hard.reconciliation: 5m0s -# once I've handled SSO, disable the admin user -# admin.enabled: false + url: https://argocd.prod.adamland.xyz -# Looks like you realistically need a github org to use SSO this way -# https://dexidp.io/docs/connectors/github/ -# dex.config: | -# connectors: -# # GitHub example -# - type: github -# id: github -# name: GitHub -# config: -# clientID: 2c4e746b39d42c6d2889 -# clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret + dex.config: | + connectors: + - config: + issuer: http://authentik.prod.adamland.xyz/application/o/argocd/ + clientID: VhCSqSGS9uTPxmTRDJymKwpl1TpQi6NYEPAebG2w + clientSecret: $dex.authentik.clientSecret + insecureEnableGroups: true + scopes: + - openid + - profile + - email + name: authentik + type: oidc + id: authentik \ No newline at end of file diff --git a/manifests/prod/addons/argo-cd/patches/argocd-rbac-cm.yaml b/manifests/prod/addons/argo-cd/patches/argocd-rbac-cm.yaml new file mode 100644 index 0000000..5345472 --- /dev/null +++ b/manifests/prod/addons/argo-cd/patches/argocd-rbac-cm.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-rbac-cm +data: + policy.csv: | + g, admins, role:admin \ No newline at end of file diff --git a/manifests/prod/addons/authentik/kustomization.yaml b/manifests/prod/addons/authentik/kustomization.yaml new file mode 100644 index 0000000..2a1eb2e --- /dev/null +++ b/manifests/prod/addons/authentik/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: authentik + +resources: + - resources/postgres.yaml + - resources/configmap.yaml + +helmCharts: + - name: authentik + includeCRDs: true + valuesFile: values.yaml + releaseName: authentik + version: 2023.10.4 + repo: https://charts.goauthentik.io/ diff --git a/manifests/prod/addons/authentik/resources/configmap.yaml b/manifests/prod/addons/authentik/resources/configmap.yaml new file mode 100644 index 0000000..c2f9c1f --- /dev/null +++ b/manifests/prod/addons/authentik/resources/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: authentik-config +data: + # https://goauthentik.io/docs/installation/configuration + AUTHENTIK_LOG_LEVEL: 'info' + AUTHENTIK_POSTGRESQL__USE_PGBOUNCER: 'false' + AUTHENTIK_POSTGRESQL__USE_PGPOOL: 'false' + AUTHENTIK_POSTGRESQL__SSLMODE: 'verify-ca' + AUTHENTIK_DISABLE_UPDATE_CHECK: 'true' \ No newline at end of file diff --git a/manifests/prod/addons/authentik/resources/postgres.yaml b/manifests/prod/addons/authentik/resources/postgres.yaml new file mode 100644 index 0000000..7cdd1c9 --- /dev/null +++ b/manifests/prod/addons/authentik/resources/postgres.yaml @@ -0,0 +1,13 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: pg +spec: + instances: 3 + primaryUpdateStrategy: unsupervised # automated update of the primary once all replicas have been upgraded + bootstrap: + initdb: + database: authentik + owner: authentik + storage: + size: 5Gi \ No newline at end of file diff --git a/manifests/prod/addons/authentik/values.yaml b/manifests/prod/addons/authentik/values.yaml new file mode 100644 index 0000000..d15d141 --- /dev/null +++ b/manifests/prod/addons/authentik/values.yaml @@ -0,0 +1,74 @@ +authentik: + secret_key: "" # we grab this from the environment + error_reporting: + enabled: false + +ingress: + enabled: true + ingressClassName: nginx + hosts: + - host: &domain authentik.prod.adamland.xyz + paths: + - path: "/" + pathType: Prefix + tls: + - secretName: authentik-ui-tls + hosts: [*domain] + + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + +postgresql: + enabled: false +redis: + enabled: true + +envFrom: +- configMapRef: + name: authentik-config +- secretRef: + name: authentik-secret-key +envValueFrom: + AUTHENTIK_POSTGRESQL__HOST: + secretKeyRef: + name: pg-app # generated by cnpg's postgres cluster custom resource + key: host + AUTHENTIK_POSTGRESQL__PORT: + secretKeyRef: + name: pg-app # generated by cnpg's postgres cluster custom resource + key: port + AUTHENTIK_POSTGRESQL__NAME: + secretKeyRef: + name: pg-app # generated by cnpg's postgres cluster custom resource + key: dbname + AUTHENTIK_POSTGRESQL__USER: + secretKeyRef: + name: pg-app # generated by cnpg's postgres cluster custom resource + key: username + AUTHENTIK_POSTGRES__PASSWORD: + secretKeyRef: + name: pg-app # generated by cnpg's postgres cluster custom resource + key: password + POSTGRES_PASSWORD: + secretKeyRef: + name: pg-app # generated by cnpg's postgres cluster custom resource + key: password + +# Path to x509 client certificate to authenticate to server +#AUTHENTIK_POSTGRESQL__SSLCERT: +#AUTHENTIK_POSTGRESQL__SSLKEY: + +volumes: + - name: root-cert + secret: + secretName: pg-ca + items: + - key: ca.crt + path: root.crt + +volumeMounts: + - name: root-cert + mountPath: /authentik/.postgresql/ + readOnly: true \ No newline at end of file diff --git a/manifests/prod/addons/namespaces/argocd.yaml b/manifests/prod/addons/namespaces/argocd.yaml index a040f2b..bb24d8d 100644 --- a/manifests/prod/addons/namespaces/argocd.yaml +++ b/manifests/prod/addons/namespaces/argocd.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: argocd + name: authentik diff --git a/manifests/prod/addons/namespaces/authentik.yaml b/manifests/prod/addons/namespaces/authentik.yaml new file mode 100644 index 0000000..a040f2b --- /dev/null +++ b/manifests/prod/addons/namespaces/authentik.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: argocd diff --git a/manifests/prod/apps/postgres/kustomization.yaml b/manifests/prod/apps/postgres/kustomization.yaml deleted file mode 100644 index f444c69..0000000 --- a/manifests/prod/apps/postgres/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: postgres - -resources: - - resources/postgres-cluster.yaml \ No newline at end of file diff --git a/manifests/prod/apps/postgres/resources/authelia.yaml b/manifests/prod/apps/postgres/resources/authelia.yaml deleted file mode 100644 index 6c36efa..0000000 --- a/manifests/prod/apps/postgres/resources/authelia.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: authelia -spec: - instances: 3 - # unsupervised: automated update of the primary once all replicas have been upgraded - primaryUpdateStrategy: unsupervised - - storage: - size: 5Gi \ No newline at end of file