Add authentik application and PostgreSQL cluster configuration

2025-05-10 17:05:49 +02:00 · 2025-05-10 17:05:49 +02:00 · 63c9043cf8
commit 63c9043cf8
parent d1d3c1fb4d
1 changed files with 124 additions and 0 deletions
--- a/applications/templates/authentik.yaml
+++ b/applications/templates/authentik.yaml
@ -0,0 +1,124 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik
+  namespace: argocd
+spec:
+  destination:
+    namespace: authentik
+    server: {{ .Values.spec.destination.server }}
+  project: default
+  syncPolicy:
+    automated:
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    chart: authentik
+    repoURL: https://charts.goauthentik.io
+    targetRevision: 2025.4.0
+    helm:
+      valuesObject:
+        global:
+          priorityClassName: homelab-critical
+          env:
+          - name: AUTHENTIK_DATABASE__HOST
+            valueFrom:
+              secretKeyRef:
+                name: postgres-authentik-app
+                key: host
+          - name: AUTHENTIK_POSTGRESQL__NAME
+            valueFrom:
+              secretKeyRef:
+                name: postgres-authentik-app
+                key: dbname
+          - name: AUTHENTIK_POSTGRESQL__PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: postgres-authentik-app
+                key: password
+          - name: AUTHENTIK_POSTGRESQL__USER
+            valueFrom:
+              secretKeyRef:
+                name: postgres-authentik-app
+                key: username
+        authentik:
+          secret_key: bGd7nChCpPQmypR64rgF
+        server:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+          ingress:
+            ingressClassName: traefik
+            enabled: true
+            hosts:
+              - authentik.noxxos.nl
+            annotations:
+              traefik.ingress.kubernetes.io/router.entrypoints: web
+        postgresql:
+          enabled: false
+        redis:
+          enabled: true
+        prometheus:
+          rules:
+            enabled: true
+---
+
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: postgres-authentik-backup
+  namespace: authentik
+spec:
+  bucketName: postgres-authentik-backup
+  storageClassName: rgw-bulk
+  additionalConfig:
+    maxSize: "10G"
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: pg-authentik-cluster
+  namespace: authentik
+spec:
+  instances: 2
+  priorityClassName: homelab-critical
+  resources:
+    requests:
+      memory: 128Mi
+      cpu: 100m
+    limits:
+      memory: 1Gi
+      cpu: '1'
+  postgresql:
+    parameters:
+      max_connections: "200"
+      shared_buffers: "32MB"
+      effective_cache_size: "96MB"
+      maintenance_work_mem: "8MB"
+      wal_buffers: "2MB"
+      random_page_cost: "1.1"
+      effective_io_concurrency: "300"
+      work_mem: "1MB"
+  monitoring:
+    enablePodMonitor: true
+  storage:
+    size: 1Gi
+    storageClass: local-path
+  backup:
+    barmanObjectStore:
+      endpointURL: http://rook-ceph-rgw-rgw-bulk.ceph.svc:80
+      destinationPath: s3://postgres-authentik-backup/
+      s3Credentials:
+        accessKeyId:
+          name: postgres-authentik-backup
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: postgres-authentik-backup
+          key: AWS_SECRET_ACCESS_KEY
+      data:
+        compression: bzip2
+      wal:
+        compression: bzip2
+    retentionPolicy: "60d"