feat(infra): deploy Authentik (auth.dezky.eu) + global HTTP→HTTPS redirect

- Authentik on the in-cluster Postgres/Redis (mirrors the dev compose config: external DB/Redis, error-reporting off, update-check off, bootstrap admin), via the k3s Helm controller; Ingress + cert-manager letsencrypt-prod. Live at https://auth.dezky.eu (image 2026.5.2). Secrets generated on-box (Bitwarden). - Traefik HelmChartConfig: global :80 -> :443 (308) redirect via additionalArguments (to=:443, HTTP-01-safe). - RUNBOOK updated. Deferred (mirror remaining dev bits): OIDC app blueprints (portal/operator with prod URLs) + the cosmetic "Powered by Dezky" rebrand.
2026-06-08 19:00:07 +02:00
parent 153d7053ca
commit 406e2ca78b
6 changed files with 231 additions and 2 deletions
@@ -0,0 +1,55 @@
+# Authentik via the k3s Helm controller. valuesContent mirrors values.yaml
+# (keep them in sync). Version intentionally unpinned for the first install —
+# PIN the resolved chart version here once it's up (see RUNBOOK.md).
+#
+# The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries
+# AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom).
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: authentik
+  namespace: kube-system
+spec:
+  repo: https://charts.goauthentik.io
+  chart: authentik
+  targetNamespace: dezky-auth
+  createNamespace: true
+  valuesContent: |-
+    image:
+      tag: "2026.5.2"
+    global:
+      envFrom:
+        - secretRef:
+            name: authentik-secret
+      env:
+        - name: AUTHENTIK_BOOTSTRAP_EMAIL
+          value: admin@dezky.eu
+        - name: AUTHENTIK_DISABLE_UPDATE_CHECK
+          value: "true"
+    authentik:
+      error_reporting:
+        enabled: false
+      postgresql:
+        host: postgres.dezky-data
+        name: authentik
+        user: authentik
+      redis:
+        host: redis.dezky-data
+    postgresql:
+      enabled: false
+    redis:
+      enabled: false
+    server:
+      ingress:
+        enabled: true
+        ingressClassName: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+        hosts:
+          - auth.dezky.eu
+        paths:
+          - "/"
+        tls:
+          - hosts:
+              - auth.dezky.eu
+            secretName: authentik-tls