ronnibaslund/dezky
1
0
Fork 0
Code Issues 37 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
b953be5fa21d900d8214c07aa65c4c072241e4d3
dezky/infrastructure/production/fleet/authentik/helmchart.yaml
T
Ronni Baslund db1354a151
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 6s
Details
ci / typecheck (map[dir:apps/portal name:portal]) (push) Has been cancelled
Details
ci / typecheck (map[dir:apps/website name:website]) (push) Has been cancelled
Details
ci / test (push) Has been cancelled
Details
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
Details
feat(infra): Authentik blueprints (portal+operator OIDC, dezky brand) 
Mirror the dev Authentik config in prod via blueprints, applied & successful on
node1:
- brand.yaml: dezky branding on the default brand (title + signal-green custom
  CSS) — login page now in dezky colors.
- portal-application.yaml / operator-application.yaml: dezky-portal &
  dezky-operator OIDC apps/providers (prod redirect URLs) + the
  dezky-platform-admins group & operator access policy.

Two 2026.5 gotchas handled + documented in README:
- invalidation_flow is now REQUIRED on OAuth2 providers (added via !Find).
- ConfigMap mounts are symlinks (discovery can't read them) → worker uses an
  initContainer that copies them to an emptyDir as real files. (chart
  worker.volumes didn't apply on this version; patch reverts on helm upgrade —
  noted as a durability TODO.)

Client secrets (PORTAL/OPERATOR_OIDC_CLIENT_SECRET) live in authentik-secret;
the apps must reuse them.
2026-06-08 19:46:48 +02:00

61 lines
1.9 KiB
YAML
Raw Blame History

# Authentik via the k3s Helm controller. valuesContent mirrors values.yaml
# (keep them in sync). Version intentionally unpinned for the first install —
# PIN the resolved chart version here once it's up (see RUNBOOK.md).
#
# The 'authentik-secret' Secret must exist in dezky-auth BEFORE this (it carries
# AUTHENTIK_SECRET_KEY + the DB/Redis/bootstrap creds via global.envFrom).
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: authentik
namespace: kube-system
spec:
repo: https://charts.goauthentik.io
chart: authentik
targetNamespace: dezky-auth
createNamespace: true
valuesContent: |-
image:
tag: "2026.5.2"
global:
envFrom:
- secretRef:
name: authentik-secret
env:
- name: AUTHENTIK_BOOTSTRAP_EMAIL
value: admin@dezky.eu
- name: AUTHENTIK_DISABLE_UPDATE_CHECK
value: "true"
authentik:
error_reporting:
enabled: false
postgresql:
host: postgres.dezky-data
name: authentik
user: authentik
redis:
host: redis.dezky-data
postgresql:
enabled: false
redis:
enabled: false
server:
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- auth.dezky.eu
paths:
- "/"
tls:
- hosts:
- auth.dezky.eu
secretName: authentik-tls
# NOTE: blueprints are mounted via a post-install initContainer patch on the
# worker Deployment (this chart version ignored worker.volumes here) — it
# copies the 'authentik-blueprints' ConfigMap into an emptyDir as real files
# at /blueprints/custom. See README "Blueprints + branding". Client secrets
# come from authentik-secret (PORTAL_OIDC_CLIENT_SECRET / OPERATOR_OIDC_CLIENT_SECRET).
Reference in New Issue View Git Blame Copy Permalink