ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
4c5fdde787461652da8abdec6a38ca10c30ce7be
dezky/infrastructure/production/fleet/authentik/values.yaml
T
Ronni Baslund db1354a151
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 6s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
feat(infra): Authentik blueprints (portal+operator OIDC, dezky brand) 
Mirror the dev Authentik config in prod via blueprints, applied & successful on
node1:
- brand.yaml: dezky branding on the default brand (title + signal-green custom
  CSS) — login page now in dezky colors.
- portal-application.yaml / operator-application.yaml: dezky-portal &
  dezky-operator OIDC apps/providers (prod redirect URLs) + the
  dezky-platform-admins group & operator access policy.

Two 2026.5 gotchas handled + documented in README:
- invalidation_flow is now REQUIRED on OAuth2 providers (added via !Find).
- ConfigMap mounts are symlinks (discovery can't read them) → worker uses an
  initContainer that copies them to an emptyDir as real files. (chart
  worker.volumes didn't apply on this version; patch reverts on helm upgrade —
  noted as a durability TODO.)

Client secrets (PORTAL/OPERATOR_OIDC_CLIENT_SECRET) live in authentik-secret;
the apps must reuse them.
2026-06-08 19:46:48 +02:00

61 lines
1.8 KiB
YAML
Raw Blame History

# Authentik production Helm values — mirrors the dev docker-compose service
# (ghcr.io/goauthentik/server:2025.10), pointed at the in-cluster data tier.
#
# Secrets come from the 'authentik-secret' Secret via global.envFrom (generated
# on-box; see README) — NEVER in this file. Non-secret config only here.
#
# NOTE: chart version is intentionally unpinned at first install (helm-controller
# pulls latest). After it's up, pin the installed chart + image versions here +
# in RUNBOOK.md for reproducibility.
image:
tag: "2026.5.2" # deployed version (latest chart as of 2026-06-08)
global:
# AUTHENTIK_SECRET_KEY, AUTHENTIK_POSTGRESQL__PASSWORD, AUTHENTIK_REDIS__PASSWORD,
# AUTHENTIK_BOOTSTRAP_PASSWORD, AUTHENTIK_BOOTSTRAP_TOKEN
envFrom:
- secretRef:
name: authentik-secret
env:
- name: AUTHENTIK_BOOTSTRAP_EMAIL
value: admin@dezky.eu
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
value: "true"
authentik:
error_reporting:
enabled: false
postgresql:
host: postgres.dezky-data
name: authentik
user: authentik
redis:
host: redis.dezky-data
# Use the in-cluster data tier, not the chart's bundled subcharts.
postgresql:
enabled: false
redis:
enabled: false
server:
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- auth.dezky.eu
paths:
- "/"
tls:
- hosts:
- auth.dezky.eu
secretName: authentik-tls
# Blueprints (portal + operator OIDC apps + brand) are mounted via a post-install
# initContainer patch on the worker (this chart version ignored worker.volumes),
# copying the authentik-blueprints ConfigMap to an emptyDir as real files at
# /blueprints/custom. See README "Blueprints + branding".
Reference in New Issue View Git Blame Copy Permalink